Type: Support
Groups:- Core Services
Privacy Protection
Privacy Protection is a connected vehicle support application that provides the privacy protection essential to the operation of other connected vehicle applications. Privacy Protection obscures the network identifiers of mobile devices in order to allow communications with credentials management and other centers.
Enterprise
This is one way this application may be realized, but not the only way. There are other ways to build a given application and accomplish a stated objective.
The enterprise diagram can be viewed in SVG or PNG format and the current format is SVG. SVG Diagram
PNG Diagram
Business Interaction Matrix:
Includes Enterprise Objects:
| Enterprise Object | Description |
|---|---|
| CCMS Owner | The organization that is responsible for the Cooperative ITS Credentials Management System. |
| Center Owner | General representation of the owner of the general "Center" physical object. |
| Driver | The 'Driver' represents the person that operates a vehicle on the roadway. Included are operators of private, transit, commercial, and emergency vehicles where the interactions are not particular to the type of vehicle (e.g., interactions supporting vehicle safety applications). The Driver originates driver requests and receives driver information that reflects the interactions which might be useful to all drivers, regardless of vehicle classification. Information and interactions which are unique to drivers of a specific vehicle type (e.g., fleet interactions with transit, commercial, or emergency vehicle drivers) are covered by separate objects. |
| PPG Provider | The 'PPG Provider" is the entity that provides privacy protection services. |
| RSE Owner | The owner of roadside equipment. |
| Traveler | The 'Traveler' represents any individual who uses transportation services. The interfaces to the traveler provide general pre-trip and en-route information supporting trip planning, personal guidance, and requests for assistance in an emergency that are relevant to all transportation system users. It also represents users of a public transportation system and addresses interfaces these users have within a transit vehicle or at transit facilities such as roadside stops and transit centers. |
| Vehicle OBE Owner | The entity, individual, group or corporation that owns the Vehicle On-Board equipment. This could be the same as the Vehicle Owner, but it could be a third part that licenses the use of the OBE to the Owner. |
| Vehicle Owner | The individual, group of individuals or corporate entity that is identified as the registered owner of the Vehicle under state law. |
Includes Resources:
| Resource | Description |
|---|---|
| CCMS Authorization | "CCMS Authorization" components provide authorization credentials (e.g., pseudonym certificates) to end entities. The end entity applies for and obtains authorization credentials, enabling the end entity to enter the "Operational" state. This function requires an interactive dialog, including at minimum a Certificate Request from the end entity desiring certificates. This request will be checked for validity, with the embedded enrollment certificate checked against an internal blacklist. If all checks are passed, this function will distribute a bundle of linked pseudonym certificates suitable for use by the requesting end entity, with the characteristics and usage rules of those certificates dependent on the operational policies of the CCMS. It also provides the secure provisioning of a given object's Decryption Key in response to an authorized request from that object. The retrieved Decryption Key will be used by the receiving object to decrypt the "next valid" batch within the set of previously retrieved Security Credential batches. |
| CCMS Misbehavior Reporting and Action | "CCMS Misbehavior Reporting and Action" components process misbehavior reports from end entities. Misbehavior reports are analyzed and investigated if warranted. Investigated misbehavior reports are correlated with end entities and systemic issues are identified. If revocation is warranted, this component provides information to Authorization or Revocation components to initiate revocation and/or blacklisting, as appropriate. |
| Center | This general physical object is used to model core capabilities that are common to any center. |
| Center Trust Management | "Center Trust Management" manages the certificates and associated keys that are used to sign, encrypt, decrypt, and authenticate messages. It communicates with the Security and Credentials Management System to maintain a current, valid set of security certificates and identifies, logs, and reports events that may indicate a threat to the Connected Vehicle Environment security. |
| Cooperative ITS Credentials Management System | The 'Cooperative ITS Credentials Management System' (CCMS) is a high-level aggregate representation of the interconnected systems that enable trusted communications between mobile devices and other mobile devices, roadside devices, and centers and protect data they handle from unauthorized access. Representing the different interconnected systems that make up a Public Key Infrastructure (PKI), this physical object represents an end user view of the credentials management system with focus on the exchanges between the CCMS and user devices that support the secure distribution, use, and revocation of trust credentials. |
| Personal Information Device | The 'Personal Information Device' provides the capability for travelers to receive formatted traveler information wherever they are. Capabilities include traveler information, trip planning, and route guidance. Frequently a smart phone, the Personal Information Device provides travelers with the capability to receive route planning and other personally focused transportation services from the infrastructure in the field, at home, at work, or while en-route. Personal Information Devices may operate independently or may be linked with connected vehicle on-board equipment. |
| Personal Trust Management | "Personal Trust Management" manages the certificates and associated keys that are used to sign, encrypt, decrypt, and authenticate messages. It communicates with the Security and Credentials Management System to maintain a current, valid set of security certificates and identifies, logs, and reports events that may indicate a threat to the Connected Vehicle Environment security. |
| PPG Privacy Services | "PPG Privacy Services" operates as a proxy, replacing the mobile device's network address with the PPG's, and tagging the message so that it can return replies to the mobile device. |
| Privacy Protection Gateway | The 'Privacy Protection Gateway' is a support system that obscures the network identifiers of mobile devices. A device may communicate to any center using the PPG. |
| Roadside Equipment | 'Roadside Equipment' (RSE) represents the Connected Vehicle roadside devices that are used to send messages to, and receive messages from, nearby vehicles using Dedicated Short Range Communications (DSRC) or other alternative wireless communications technologies. Communications with adjacent field equipment and back office centers that monitor and control the RSE are also supported. This device operates from a fixed position and may be permanently deployed or a portable device that is located temporarily in the vicinity of a traffic incident, road construction, or a special event. It includes a processor, data storage, and communications capabilities that support secure communications with passing vehicles, other field equipment, and centers. |
| RSE Privacy Services | "RSE Privacy Services" operates as a proxy, replacing the mobile device's network address with the RSE's, and tagging the message so that it can return replies to the mobile device. |
| Vehicle | The conveyance that provides the sensory, processing, storage, and communications functions necessary to support efficient, safe, and convenient travel. These functions reside in general vehicles including personal automobiles, commercial vehicles, emergency vehicles, transit vehicles, or other vehicle types. |
| Vehicle OBE | The Vehicle On-Board Equipment (OBE) provides the vehicle-based processing, storage, and communications functions necessary to support connected vehicle operations. The radio(s) supporting V2V and V2I communications are a key component of the Vehicle OBE. This communication platform is augmented with processing and data storage capability that supports the connected vehicle applications. In CVRIA, the Vehicle OBE includes the functions and interfaces that support connected vehicle applications for passenger cars, trucks, and motorcycles. Many of these applications (e.g., V2V Safety applications) apply to all vehicle types including personal vehicles, commercial vehicles, emergency vehicles, transit vehicles, and maintenance vehicles. From this perspective, the Vehicle OBE includes the common interfaces and functions that apply to all motorized vehicles. |
| Vehicle Trust Management | "Vehicle Trust Management" manages the certificates and associated keys that are used to sign, encrypt, decrypt, and authenticate messages. It communicates with the Security and Credentials Management System to maintain a current, valid set of security certificates and identifies, logs, and reports events that may indicate a threat to the Connected Vehicle Environment security. |
Includes Roles:
| Role | Description |
|---|---|
| Operates | An Enterprise controls the functionality and state of the target Resource. An Enterprise that Operates a resource is considered Responsible. |
| Owns | An Enterprise has financial ownership and control over the Resource. An Enterprise that Owns a resource is considered Accountable. |
Includes Coordination:
| Coordination | Type | Description |
|---|---|---|
| Expectation of Data Provision | Expectation | An expectation where one party believes another party will provide data on a regular and recurring basis, and that that data will be useful to the receiver in the context of the receiver's application. This thus includes some expectation of data fields, timeliness, quality, precision and similar qualities of data. |
| Expectation of Privacy Proxy Services | Expectation | Expectation whereby one party expects to provide data to a second party that proxies that data, provides it to a destination suggested by the first party, and protects the originator's contact information. |
| Includes | Includes | Indicates that one component is entirely contained within another component. |
| Vehicle OBE Usage Agreement | Agreement | An agreement that grants one entity permission to use a Vehicle OBE that the other party controls. |
| Vehicle Usage Agreement | Agreement | An agreement between the owner of a vehicle and a prospective operator, whereupon the owner allows the operator to use the vehicle. |
Functional
Includes Processes:
| Level | Name | Type | Allocated to Application Object |
|---|---|---|---|
| 3 | Provide Vehicle Monitoring and Control | Collection | |
| 3.7 | Support Vehicle Secure Communications | Pspec | |
| 6.8 | Provide Traveler Personal Services | Collection | |
| 6.8.4 | Support Personal Secure Communications | Pspec |
- Personal Trust Management |
| 10.1.5.1 | Support Connected Vehicle Center Communications | Pspec |
- Center Trust Management |
| 10.3.3 | Authorize Connected Vehicle Devices | Pspec |
- CCMS Authorization |
| 10.3.4 | Identify Misbehaving Connected Vehicle Devices | Pspec |
- CCMS Misbehavior Reporting and Action |
| 10.3.6 | Protect End-User Privacy | Pspec |
- PPG Privacy Services |
| 10.3.7 | Protect End-User Privacy at Roadside | Pspec |
- RSE Privacy Services |
Includes Data Flows:
Physical
This is one way this application may be realized, but not the only way. There are other ways to build a given application and accomplish a stated objective.
The physical diagram can be viewed in SVG or PNG format and the current format is SVG. SVG Diagram
PNG Diagram
Includes Physical Objects:
| Physical Object | Class | Description |
|---|---|---|
| Center | Center | This general physical object is used to model core capabilities that are common to any center. |
| Cooperative ITS Credentials Management System | Support | The 'Cooperative ITS Credentials Management System' (CCMS) is a high-level aggregate representation of the interconnected systems that enable trusted communications between mobile devices and other mobile devices, roadside devices, and centers and protect data they handle from unauthorized access. Representing the different interconnected systems that make up a Public Key Infrastructure (PKI), this physical object represents an end user view of the credentials management system with focus on the exchanges between the CCMS and user devices that support the secure distribution, use, and revocation of trust credentials. |
| Personal Information Device | Traveler | The 'Personal Information Device' provides the capability for travelers to receive formatted traveler information wherever they are. Capabilities include traveler information, trip planning, and route guidance. Frequently a smart phone, the Personal Information Device provides travelers with the capability to receive route planning and other personally focused transportation services from the infrastructure in the field, at home, at work, or while en-route. Personal Information Devices may operate independently or may be linked with connected vehicle on-board equipment. |
| Privacy Protection Gateway | Support | The 'Privacy Protection Gateway' is a support system that obscures the network identifiers of mobile devices. A device may communicate to any center using the PPG. |
| Roadside Equipment | Field | 'Roadside Equipment' (RSE) represents the Connected Vehicle roadside devices that are used to send messages to, and receive messages from, nearby vehicles using Dedicated Short Range Communications (DSRC) or other alternative wireless communications technologies. Communications with adjacent field equipment and back office centers that monitor and control the RSE are also supported. This device operates from a fixed position and may be permanently deployed or a portable device that is located temporarily in the vicinity of a traffic incident, road construction, or a special event. It includes a processor, data storage, and communications capabilities that support secure communications with passing vehicles, other field equipment, and centers. |
| Vehicle OBE | Vehicle | The Vehicle On-Board Equipment (OBE) provides the vehicle-based processing, storage, and communications functions necessary to support connected vehicle operations. The radio(s) supporting V2V and V2I communications are a key component of the Vehicle OBE. This communication platform is augmented with processing and data storage capability that supports the connected vehicle applications. In CVRIA, the Vehicle OBE includes the functions and interfaces that support connected vehicle applications for passenger cars, trucks, and motorcycles. Many of these applications (e.g., V2V Safety applications) apply to all vehicle types including personal vehicles, commercial vehicles, emergency vehicles, transit vehicles, and maintenance vehicles. From this perspective, the Vehicle OBE includes the common interfaces and functions that apply to all motorized vehicles. |
Includes Application Objects:
| Application Object | Description | Physical Object |
|---|---|---|
| CCMS Authorization | "CCMS Authorization" components provide authorization credentials (e.g., pseudonym certificates) to end entities. The end entity applies for and obtains authorization credentials, enabling the end entity to enter the "Operational" state. This function requires an interactive dialog, including at minimum a Certificate Request from the end entity desiring certificates. This request will be checked for validity, with the embedded enrollment certificate checked against an internal blacklist. If all checks are passed, this function will distribute a bundle of linked pseudonym certificates suitable for use by the requesting end entity, with the characteristics and usage rules of those certificates dependent on the operational policies of the CCMS. It also provides the secure provisioning of a given object's Decryption Key in response to an authorized request from that object. The retrieved Decryption Key will be used by the receiving object to decrypt the "next valid" batch within the set of previously retrieved Security Credential batches. | Cooperative ITS Credentials Management System |
| CCMS Misbehavior Reporting and Action | "CCMS Misbehavior Reporting and Action" components process misbehavior reports from end entities. Misbehavior reports are analyzed and investigated if warranted. Investigated misbehavior reports are correlated with end entities and systemic issues are identified. If revocation is warranted, this component provides information to Authorization or Revocation components to initiate revocation and/or blacklisting, as appropriate. | Cooperative ITS Credentials Management System |
| Center Trust Management | "Center Trust Management" manages the certificates and associated keys that are used to sign, encrypt, decrypt, and authenticate messages. It communicates with the Security and Credentials Management System to maintain a current, valid set of security certificates and identifies, logs, and reports events that may indicate a threat to the Connected Vehicle Environment security. | Center |
| Personal Trust Management | "Personal Trust Management" manages the certificates and associated keys that are used to sign, encrypt, decrypt, and authenticate messages. It communicates with the Security and Credentials Management System to maintain a current, valid set of security certificates and identifies, logs, and reports events that may indicate a threat to the Connected Vehicle Environment security. | Personal Information Device |
| PPG Privacy Services | "PPG Privacy Services" operates as a proxy, replacing the mobile device's network address with the PPG's, and tagging the message so that it can return replies to the mobile device. | Privacy Protection Gateway |
| RSE Privacy Services | "RSE Privacy Services" operates as a proxy, replacing the mobile device's network address with the RSE's, and tagging the message so that it can return replies to the mobile device. | Roadside Equipment |
| Vehicle Trust Management | "Vehicle Trust Management" manages the certificates and associated keys that are used to sign, encrypt, decrypt, and authenticate messages. It communicates with the Security and Credentials Management System to maintain a current, valid set of security certificates and identifies, logs, and reports events that may indicate a threat to the Connected Vehicle Environment security. | Vehicle OBE |
Includes Information Flows:
| Information Flow | Description |
|---|---|
| private location and address flow | Any information flow between Vehicle/PID and Center or CCMS that the initiator needs to be kept private. Privacy in this sense means that the receiver does not receive the network address of the initiator, nor does it receive the geographic location of the initiator. Flows that depend on initiator geographic location cannot use this service. |
| protected location and address flow | Information flow that has had its geographic location information removed and network address information proxied to protect the privacy of the originator. |
Application Interconnect Diagram
This is one way this application may be realized, but not the only way. There are other ways to build a given application and accomplish a stated objective.
The application interconnect diagram can be viewed in SVG or PNG format and the current format is SVG. SVG Diagram
PNG Diagram
Application Triples
Requirements
| Need | Requirement | ||
|---|---|---|---|
| N4.001 | Applications need to protect data they handle from unauthorized access. This is required to support applications that exchange sensitive information, such as personally identifying or financial information, which if intercepted could compromise the privacy or financial records of the user. | 4.001 | Applications that function by exchanging data between entities shall be able to exchange encrypted data between those entities. |
| N4.002 | Applications need to establish trust between entities that operate components of the application. Such trust relationships are necessary so that applications can be assured that entities are who they say they are, and therefore trust the source and data it receives. | 4.002 | Applications shall verify that, for each entity on which an application component is installed, that entity is trusted by the provider of the application. |
| 4.003 | Applications shall be able to digitally sign all messages sent between entities. | ||
| 4.004 | Applications shall be able to verify the digital signature of received messages. | ||
| 4.005 | Digital signatures used to ensure trust shall be generated independently of the application sending the message to be signed. | ||
| N4.003 | Applications need to revoke the trust relationship they have between entities when necessary. A trusted entity may operate in a fashion that indicates it should no longer be trusted, in which case applications must have a way of revoking that trust. | 4.006 | Applications shall identify entities that provide messages to the application that are improperly formatted. |
| 4.007 | Applications shall identify entities that provide messages to the application that are logically inconsistent. | ||
| 4.008 | Applications shall revoke personal trust (trust by the application) when a repeated pattern of messages from a given entity falls outside of the applications tolerances. | ||
| 4.009 | Applications shall be able to report suspicious behavior to third party authentication providers. | ||
| 4.010 | Applications shall be able to accept messages from the third party authentication provider that identifies entities unworthy of trust. | ||
| 4.011 | Applications shall be able to revoke trust between itself and an entity if that entity is identified by the third party authentication provider as untrustworthy. | ||
| N4.004 | All participants in the Connected Vehicle Environment need to operate on a common time base. Coordination of time between the entities that operate applications as well as those providing Core services prevents internal errors and enables time-sensitive interactions between application components. | 4.012 | All applications shall use the same time source as the basis for timing. |
| N4.070 | Privacy Protection needs to obscure the network identifiers of mobile devices in order to allow communications with credentials management and other centers. | 4.134 | Privacy Protection shall obscure the network identifiers of mobile devices communicating through roadside equipment. |
| 4.135 | Privacy Protection shall obscure the network identifiers of mobile devices communicating directly to centers. | ||
Related Sources
- Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application, 8/1/2014
Security
In order to participate in this application, each physical object should meet or exceed the following security levels.
| Physical Object Security | ||||
|---|---|---|---|---|
| Physical Object | Confidentiality | Integrity | Availability | Security Class |
| Security levels have not been defined yet. | ||||
In order to participate in this application, each information flow triple should meet or exceed the following security levels.
| Information Flow Security | |||||
|---|---|---|---|---|---|
| Source | Destination | Information Flow | Confidentiality | Integrity | Availability |
| Basis | Basis | Basis | |||
| Security levels have not been defined yet. | |||||