Notes on Access Control

Most of the control assigned to device classes to be applied to physical objects are based on NIST Special Publication (SP) 800-53. In the context of the V2I C-ITS scenario various levels of on-board equipment (OBE), nomadic devices that may act as OBE, and roadside equipment (RSE). These devices are different from the information systems that are naturally described by SP 800-53 in that they follow the IEEE 1609.2 security model, in which applications are autonomous actors (that run without any human intervention) that have access to some application-specific material (in particular, cryptographic signing keys) but not to the equivalent material belonging to other applications.

So what's the point? NIST SP 800-53 is phrased in terms of an information system that contains resources that are accessed by human actors. Certain types of access to resources are privileged access (due to the resources or what is done with them) and must be actively authenticated via a secure session that may time out or be terminated.

In contrast, in the V2I setting, there are a number of autonomous processes which have privileged access to certain resources. These processes are local to the device; their authorization is established at the time they are installed and does not need to be re-established every time.

This necessitates a change in language from NIST SP 800-53. The SP 800-53 concept of privileged access to resources requires periodic authentication by the accessing user. In the V2I setting there are the following different kinds of privileged access to resources:

Note that this puts particular responsibility on the installation process:

Relationship to control IA-9, Service Identification and Authentication

NIST SP 800-53 defines control IA-9, Service Identification and Authentication. As noted above, resources may be accessed by processes on the device. This access may happen in response to messages received by off-device services. This machine-to-machine model for resource access will in fact be the most common type of resource access in the system.

Control IA-9 specifically addresses service identification and authorization. Note, however, that IA-9 is an organizational control, stating that the organization identifies and authenticates services. The device requirement arising from IA-9 is that services on devices can provide authentication for outgoing messages or check authentication on incoming messages; the mechanisms for this are the same as for user authentication and are specified in CM-7 and the IA-* family of controls.

"Accessers" rather than users

Since resources in this system may be accessed by other resources rather than by human users, we avoid the use of the term "users" and instead use the term "accessers" where appropriate. The term "users" as used herein refers strictly to human users.

Information flow control policy

The security controls make use of the concept of an "information flow control policy". This is a statement, for a given information flow, of the circumstances under which that flow may occur. For example, for the flow 'Vehicle OBE->vehicle situation data->CVRSE' to occur:

  1. The recipient of the vehicle situation data must have authenticated itself as a device that is entitled to receive that data
  2. The data flow must be encrypted.

Unsuccessful authentication attempts

NIST SP 800-53 defines control AC-7, Unsuccessful Logon Attempts. In the context of the V2I environment, we consider a login to be:

Hardware Security

Hardware security controls are sprinkled throughout the security controls. Of particular note, all devices are expected to:

System Management

The following actions are defined as system management activities: