GB/T 45112-2024 LTE-based vehicular communication - Technical requirement of security certificate management system
1 Scope
This document specifies the technical requirement of LTE-based vehicular security certificate management system architecture, certificate management requirements and security authentication mechanism requirements as well as the related explicit certificate format and interaction process.
This document is applicable to LTE-V2X equipment and security certificate management systems.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 16262 (all parts) Information technology - Abstract syntax notation one (ASN.1)
GB/T 25056 Information security technology - Specifications of cryptograph and related security technology for certificate authentication system
GB/T 25069 Information security technology - Glossary
GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm
GB/T 32918.1-2016 Information security technology - Public key cryptographic algorithm - SM2 based on elliptic curves - Part 1: General
GB/T 32918.2 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 2: Digital signature algorithm
GB/T 32918.4 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 4: Public key encryption algorithm
GB/T 32918.5 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 5: Parameter definition
GB/T 36624 Information technology - Security techniques - Authenticated encryption
ISO/IEC 8825-7 Information technology - ASN.1 encoding rules - Part 7: Specification of octet encoding rules (OER)
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
V2X equipment
safety equipment for on board unit (OBU), roadside equipment (RSU) and vehicular network service provider (VSP)
3.2
V2X communication certificate
digital certificate related to V2X communication issued by a certificate authority to vehicular network devices
Note: for example, enrollment certificate (EC), pseudonym certificate (PC), application certificate (AC) and identity certificate (IC).
3.3
V2X authorization certificate
V2X certificate used to verify messages in V2X security communication
Note: it includes PC, AC and IC.
3.4
V2X certificate
data structure issued by a V2X certificate authority that contains certificate holder information, public key, issuer information, validity period and authority, etc.
3.5
authority certificate
digital certificate issued for a V2X certificate authority
Note: it includes RCA, ICA, ECA, PCA, ACA, PRA, ARA, LA and MA, etc.
3.6
security certificate management system
system used for issuing various digital certificates and managing their lifecycle in the wireless communication technology system for vehicular networks based on LTE, typically involving entities such as Certificate Authorities (CAs), Registration Authorities (RAs), Exception Management Authorities (EMAs), and Authentication and Authorization Authorities (AAAs).
Note: It is referred to as "CA system" in this document.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
AAA Authentication and Authorization Authority
AC Application Certificate
ACA Application Certificate Authority
AID Application Identifier
API Application Programming Interface
ARA Application Certificate Registration Authority
ASN.1 Abstract Syntax Notation dot one
BSF Bootstrapping Server Function
BSM Basic Safety Message
CA Certificate Authority
COER Canonical Octet Encoding Rules
CRA Certificate Revocation Authority
CRACA Certificate Revocation Authorizing CA
CRL Certificate Revocation List
CTL Certificate Trust List
DCM Device Configuration Manager
EC Enrollment Certificate
ECA Enrollment Certificate Authority
GBA Generic Bootstrapping Architecture
GMA Global Misbehavior Authority
Contents Foreword i 1 Scope 2 Normative references 3 Terms and definitions 4 Abbreviations 5 Overview 5.1 Composition of V2X communication security system 5.2 V2X communication security service architecture 6 Security requirements for LTE-V2X certification management 6.1 Overview 6.2 Confidentiality requirements 6.3 Integrity requirements 6.4 Authenticity requirements 6.5 Privacy protection requirements 6.6 CA system safety requirements 7 General technical requirements of LTE-V2X communication security authentication mechanism 7.1 Management system architecture of LTE-V2X certificate 7.2 LTE-V2X security certificate 7.3 Description of basic elements 7.4 Security protocol data unit 7.5 Digital certificate and certificate management data form 8 LTE-V2X communication security authentication interaction process and interface technical requirements 8.1 EC management process 8.2 PC application process 8.3 AC and IC management process 8.4 CRL management process 8.5 Authority certificate management process 8.6 Misbehavior management 8.7 LA management architecture and process 9 Mutual trust technical requirements for LTE-V2X communication security authentication PKI 9.1 Overview 9.2 PKI mutual trust architecture 9.3 PKI mutual trust management process 9.4 PKI mutual trust authentication process 9.5 Trusted root certificate list (TRCL) management policy 9.6 Trusted domain certificate list (TRDL) management policy 9.7 Checking on misbehavior of trusted domains Annex A (Informative) Basic application modes of vehicular communication security Annex B (Informative) Token authorization mechanism based on OAUTH Annex C (Normative) ASN.1 template Annex D (Normative) Input and output of cryptographic algorithm Annex E (Normative) Data format of interface between V2X equipment and security certificate management system Annex F (Normative) Generation and usage of application layer session key of GBA mechanism Annex G (Informative) Certificate life cycle and update scenario Annex H (Informative) An algorithm proposal of key derivation process Annex I (Normative) Relevant definition of linkage value Annex J (Normative) Certificate trust list and mutual trust authentication process Annex K (Informative) Coding examples of algorithm Bibliography
GB/T 45112-2024 LTE-based vehicular communication - Technical requirement of security certificate management system
1 Scope
This document specifies the technical requirement of LTE-based vehicular security certificate management system architecture, certificate management requirements and security authentication mechanism requirements as well as the related explicit certificate format and interaction process.
This document is applicable to LTE-V2X equipment and security certificate management systems.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 16262 (all parts) Information technology - Abstract syntax notation one (ASN.1)
GB/T 25056 Information security technology - Specifications of cryptograph and related security technology for certificate authentication system
GB/T 25069 Information security technology - Glossary
GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm
GB/T 32918.1-2016 Information security technology - Public key cryptographic algorithm - SM2 based on elliptic curves - Part 1: General
GB/T 32918.2 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 2: Digital signature algorithm
GB/T 32918.4 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 4: Public key encryption algorithm
GB/T 32918.5 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 5: Parameter definition
GB/T 36624 Information technology - Security techniques - Authenticated encryption
ISO/IEC 8825-7 Information technology - ASN.1 encoding rules - Part 7: Specification of octet encoding rules (OER)
3GPP TS 33.220 Generic authentication architecture (GAA): generic bootstrapping architecture (GBA)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
V2X equipment
safety equipment for on board unit (OBU), roadside equipment (RSU) and vehicular network service provider (VSP)
3.2
V2X communication certificate
digital certificate related to V2X communication issued by a certificate authority to vehicular network devices
Note: for example, enrollment certificate (EC), pseudonym certificate (PC), application certificate (AC) and identity certificate (IC).
3.3
V2X authorization certificate
V2X certificate used to verify messages in V2X security communication
Note: it includes PC, AC and IC.
3.4
V2X certificate
data structure issued by a V2X certificate authority that contains certificate holder information, public key, issuer information, validity period and authority, etc.
3.5
authority certificate
digital certificate issued for a V2X certificate authority
Note: it includes RCA, ICA, ECA, PCA, ACA, PRA, ARA, LA and MA, etc.
3.6
security certificate management system
system used for issuing various digital certificates and managing their lifecycle in the wireless communication technology system for vehicular networks based on LTE, typically involving entities such as Certificate Authorities (CAs), Registration Authorities (RAs), Exception Management Authorities (EMAs), and Authentication and Authorization Authorities (AAAs).
Note: It is referred to as "CA system" in this document.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
AAA Authentication and Authorization Authority
AC Application Certificate
ACA Application Certificate Authority
AID Application Identifier
API Application Programming Interface
ARA Application Certificate Registration Authority
ASN.1 Abstract Syntax Notation dot one
BSF Bootstrapping Server Function
BSM Basic Safety Message
CA Certificate Authority
COER Canonical Octet Encoding Rules
CRA Certificate Revocation Authority
CRACA Certificate Revocation Authorizing CA
CRL Certificate Revocation List
CTL Certificate Trust List
DCM Device Configuration Manager
EC Enrollment Certificate
ECA Enrollment Certificate Authority
GBA Generic Bootstrapping Architecture
GMA Global Misbehavior Authority
Contents of GB/T 45112-2024
Contents
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Overview
5.1 Composition of V2X communication security system
5.2 V2X communication security service architecture
6 Security requirements for LTE-V2X certification management
6.1 Overview
6.2 Confidentiality requirements
6.3 Integrity requirements
6.4 Authenticity requirements
6.5 Privacy protection requirements
6.6 CA system safety requirements
7 General technical requirements of LTE-V2X communication security authentication mechanism
7.1 Management system architecture of LTE-V2X certificate
7.2 LTE-V2X security certificate
7.3 Description of basic elements
7.4 Security protocol data unit
7.5 Digital certificate and certificate management data form
8 LTE-V2X communication security authentication interaction process and interface technical requirements
8.1 EC management process
8.2 PC application process
8.3 AC and IC management process
8.4 CRL management process
8.5 Authority certificate management process
8.6 Misbehavior management
8.7 LA management architecture and process
9 Mutual trust technical requirements for LTE-V2X communication security authentication PKI
9.1 Overview
9.2 PKI mutual trust architecture
9.3 PKI mutual trust management process
9.4 PKI mutual trust authentication process
9.5 Trusted root certificate list (TRCL) management policy
9.6 Trusted domain certificate list (TRDL) management policy
9.7 Checking on misbehavior of trusted domains
Annex A (Informative) Basic application modes of vehicular communication security
Annex B (Informative) Token authorization mechanism based on OAUTH
Annex C (Normative) ASN.1 template
Annex D (Normative) Input and output of cryptographic algorithm
Annex E (Normative) Data format of interface between V2X equipment and security certificate management system
Annex F (Normative) Generation and usage of application layer session key of GBA mechanism
Annex G (Informative) Certificate life cycle and update scenario
Annex H (Informative) An algorithm proposal of key derivation process
Annex I (Normative) Relevant definition of linkage value
Annex J (Normative) Certificate trust list and mutual trust authentication process
Annex K (Informative) Coding examples of algorithm
Bibliography