Abstract
The automotive industry is witnessing an accelerated growth in digital innovations that turn modern vehicles into digital systems. This makes the security of modern vehicles a crucial concern as they have evolved into cyber-physical and safety-critical systems. Therefore, stateful identity management and continuous access control have become a paramount requirement in smart vehicles. Indeed, several Identity and Access Management (IAM) frameworks have been proposed in the automotive field, but context awareness and continuity of control remain overlooked. To address these challenges, we present SIUV: a stateful smart-car IAM that is based on Usage Control (UCON) and Verifiable Credentials (VCs). SIUV uses Attribute Based Access Control (ABAC) policies to issue privileges to subjects (i.e. drivers or applications) according to their credentials and claims. The issued privileges are then used to decide whether to grant or deny access to in-car resources. Furthermore, the system continuously monitors subject claims, resource attributes and environmental conditions (e.g. location or time). Hence, if a change occurs, the system re-evaluates policies and updates or revokes issued privileges and usage decisions accordingly. We describe the architecture of SIUV, discuss the evaluation results, and define future directions.
Keywords
- UCON
- IAM
- Automotive
- Smart car
- Verifiable Credentials
- Principle of Least Privilege
- ABAC
- ALFA
- XACML
- Ed25519
This is a preview of subscription content, access via your institution.
Buying options
References
Ammar, M., Janjua, H., Thangarajan, A., Crispo, B., Hughes, D.: Securing the on-board diagnostics port (OBD-II) in vehicles. In: 8th Embedded Security in Cars (ESCAR USA) (2020)
AUTOSAR: Explanation of Adaptive Platform Design, March 2019. https://www.autosar.org/fileadmin/user_upload/standards/adaptive/19-11/AUTOSAR_EXP_PlatformDesign.pdf
Bernardini, C., Asghar, M.R., Crispo, B.: Security and privacy in vehicular communications: challenges and opportunities. Veh. Commun. 10, 13–28 (2017)
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9
Brendel, J., Cremers, C., Jackson, D., Zhao, M.: The provable security of ed25519: theory and practice. In: 2021 IEEE Symposium on Security and Privacy (SP), vol. 1, pp. 715–732 (2021). https://doi.org/10.1109/SP40001.2021.00042. ISSN: 2375–1207
Burkacky, O., Deichmann, J., Doll, G., Knochenhauer, C.: Rethinking car software and electronics architecture, February 2018. https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/rethinking-car-software-and-electronics-architecture
Burkacky, O., Deichmann, J., Klein, B., Pototzky, K., Scherf, G.: Cybersecurity in automotive: mastering the challenge, June 2020. https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/cybersecurity-in-automotive-mastering-the-challenge
Chen, L., Moody, D., Regenscheid, A., Randall, K.: Recommendations for discrete logarithm-based cryptography: elliptic curve domain parameters. Technical report, National Institute of Standards and Technology (2019)
Deichmann, J., Klein, B., Scherf, G., Rupert, S.: The race for cybersecurity: protecting the connected car in the era of new regulation, October 2019. https://mckinsey.com/industries/automotive-and-assembly/our-insights/the-race-for-cybersecurity-protecting-the-connected-car-in-the-era-of-new-regulation
Denis, F.: libsodium: a modern and easy-to-use crypto library (2017). https://libsodium.gitbook.io/doc/
Dimitrakos, T., et al.: Trust aware continuous authorization for zero trust in consumer internet of things. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1801–1812 (2020). https://doi.org/10.1109/TrustCom50675.2020.00247
Dürrwang, J., Braun, J., Rumez, M., Kriesten, R.: Security evaluation of an airbag-ECU by reusing threat modeling artefacts. In: 2017 International Conference on Computational Science and Computational Intelligence (CSCI), pp. 37–43. IEEE (2017)
Hamad, M., Prevelakis, V.: Secure APIs for applications in microkernel-based systems. In: ICISSP, pp. 553–558 (2017)
Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Special Publication 800(162) (2013)
Josefsson, S., Liusvaara, I.: RFC8032: Edwards-curve digital signature algorithm (EdDSA). Request for Comments, IETF (2017)
Kim, D.K., Song, E., Yu, H.: Introducing attribute-based access control to AUTOSAR. Technical report, SAE Technical Paper (2016)
Lazouski, A., Martinelli, F., Mori, P.: A prototype for enforcing usage control policies based on XACML. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 79–92. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32287-7_7
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, p. 91 (2015)
OASIS: Abbreviated language for authorization Version 1.0 (2015). https://bit.ly/2UP6Jza
OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0 Plus Errata 01 (2017). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-en.html
Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(1), 128–174 (2004)
Rumez, M., Duda, A., Gründer, P., Kriesten, R., Sax, E.: Integration of attribute-based access control into automotive architectures. In: 2019 IEEE Intelligent Vehicles Symposium (IV), pp. 1916–1922. IEEE (2019)
Rumez, M., Grimm, D., Kriesten, R., Sax, E.: An overview of automotive service-oriented architectures and implications for security countermeasures. IEEE Access 8, 221852–221870 (2020)
Samsung: Automotive Processor Exynos Auto V9. https://www.samsung.com/semiconductor/minisite/exynos/products/automotiveprocessor/exynos-auto-v9/
Sporny, M., Longley, D., Chadwick, D.: Verifiable credentials data model 1.0. Technical report, W3C, November 2019. https://www.w3.org/TR/vc-data-model/
Wouters, L., Marin, E., Ashur, T., Gierlichs, B., Preneel, B.: Fast, furious and insecure: passive keyless entry and start systems in modern supercars. In: IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 66–85 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Hariri, A., Bandopadhyay, S., Rizos, A., Dimitrakos, T., Crispo, B., Rajarajan, M. (2021). SIUV: A Smart Car Identity Management and Usage Control System Based on Verifiable Credentials. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-78120-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78119-4
Online ISBN: 978-3-030-78120-0
eBook Packages: Computer ScienceComputer Science (R0)
-
Published in cooperation with
http://www.ifip.org/
