Conference Paper

Enforcing GDPR regulation to vehicular 5G communications using edge virtual counterparts

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

More and more people are concerned about data privacy and this is applicable to vehicular scenarios in which on-board units (OBU) and user devices are exposed to traceability across different access networks and service domains. General Data Protection Regulation (GDPR) in European countries indicates the way to proceed to guarantee privacy and access to sensitive data, however, applying these laws is not straightforward and may vary from country to country. Last advances in 5G communications, such as virtualisation and Multi-Access Edge Computing (MEC) can enable the proper management of data considering local GDPR regulations by using edge services. In this paper we propose the treatment of personal data in virtual OBUs (vOBU) instantiated at the edge of the network on the move. This way, vehicles and occupants benefit from GDPR guarantees compliant with current country regulations as they move across European borders.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Delegation of processing tasks to the network has moved from cloud-based schemes to edge computing solutions where nearby servers process requests in a timely manner. Virtualisation technologies have recently given data cloud and network providers the required flexibility to offer such on-demand resources. However, the maintenance of close computing resources presents a challenge when the served devices are on the move. In this case, if processing continuity is desired, a transference of processing resources and task state should be committed to maintain the service to end devices. The solution here presented, MIGRATE, proposes the concept of virtual mobile devices (vMDs) implemented as Virtual Functions (VxF) and acting as virtual representatives of physical processing devices. vMDs are instantiated at the edge of the access network, following a Multi-Access Edge Computing (MEC) approach, and move across different virtualisation domains. MIGRATE provides seamless and efficient transference of these software entities to follow the real location of mobile devices and continue supporting their physical counterparts. Software Defined Networks and Management and Operation functions are exploited to “migrate” vMDs to new virtualisation domains by forwarding data flows to the former domain until the new one is prepared, while a distributed data base avoids the transference of data. The solution has been deployed in a reference vehicular scenario at the Institute of Telecommunications Aveiro premises within the 5GINFIRE European project. In particular, the system has been evaluated under different virtualisation domains to study the operation of the migration approach in a vehicular monitoring scenario. The results validate the system from the application viewpoint with a Web monitoring tool, and the migration of the digital twin provided as VxF is analysed attending to the modification of data flows, indicating a seamless transition between virtualisation domains in a timely manner.
Article
Full-text available
In most IoT deployments, intermediate entities are usually employed for efficiency and scalability reasons. These intermediate proxies break end-to-end security when using even the state-of-the-art transport layer security (TLS) solutions. In this direction, the recent Object Security for Constrained RESTful Environments (OSCORE) has been standardized to enable end-to-end security even in the presence of malicious proxies. In this work, we focus on the key establishment process based on application layer techniques. In particular, we evaluate the Ephemeral Diffie-Hellman over COSE (EDHOC), the de facto key establishment protocol for OSCORE. Based on EDHOC, we propose CompactEDHOC, as a lightweight alternative, in which negotiation of security parameters is extracted from the core protocol. In addition to providing end-to-end security properties, we perform extensive evaluation using real IoT hardware and simulation tools. Our evaluation results prove EDHOC-based proposals as an effective and efficient approach for the establishment of a security association in IoT constrained scenarios.
Chapter
Full-text available
The continuous, rapid and widespread usage of ICT systems, the constrainedand large-scale nature of certain related networks such as IoT (Internet ofThings), the autonomous nature of upcoming systems, as well as the newcyber-threats appearing from new disruptive technologies, are given riseto new kind of cyberattacks and security issues. In this sense, this bookchapter categorises and presents 10 current main cybersecurity and privacyresearch challenges, as well as 14 European research projects in the scopeof cybersecurity and privacy, analysed further throughout this book, that areaddressing these challenges
Article
Full-text available
Virtualization technologies are key enablers of softwarized 5G networks, and their usage in the vehicular domain can provide flexibility and reliability in real deployments, where mobility and processing needs may be an issue. Next-generation vehicular services, such as the ones in the area of urban mobility and, in general, those interconnecting on-board sensors, require continuous data gathering and processing, but current architectures are stratified in two-tier solutions in which data is collected by on-board units (OBU) and sent to cloud servers. In this line, intermediate cache and processing layers are needed in order to cover quasi-ubiquitous data-gathering needs of vehicles in scenarios of smart cities/roads considering vehicles as moving sensors. The SURROGATES solution presented in this paper proposes to virtualize vehicle OBUs and create a novel Multi-Access Edge Computing (MEC) layer with the aim of offloading processing from the vehicle and serving data-access requests. This deals with potential disconnection periods of vehicles, saves radio resources when accessing the physical OBU and improves data processing performance. A proof of concept has been implemented using OpenStack and Open Source MANO to virtualize resources and gather data from in-vehicle sensors, and a final traffic monitoring service has been implemented to validate the proposal. Performance results reveal a speedup of more than 50% in the data request resolution, with consequently great savings of network resources in the wireless segment. Thus, this work opens a novel path regarding the virtualization of end-devices in the Intelligent Transportation Systems (ITS) ecosystem.
Conference Paper
Full-text available
We present TEEshift, a tool suite that protects the confiden- tiality and integrity of code by shifting selected functions into TEEs. Our approach works entirely on binary-level and does not require the adaption of source code projects or build environments, nor does it require compiler-level patches. Programmers provide a list of ELF symbols pointing to the functions that should be protected. After post-processing an ELF binary with TEEshift, the selected functions are not present in cleartext anymore. Only after attesting to a re- mote party that the loading enclave behaves with integrity, the functions are decrypted, but remain inside the enclave protected against reverse engineering. An online connection is only required when a program starts for the first time on a PC. Afterwards, sealing is used to securely store the decryption key and bind it to the PC. By allowing program- mers to move selected function into TEEs, without patching their source code, we provide a convenient way to enable TEEs in existing projects while preserving the flexibility for a finegrained security and performance tradeoff. We evaluated our tool using a real world gaming application, confirming the practicability of our approach for existing projects. We overcome the limitation of the fragmented TEE landscape by building on top of Asylo, an open framework by Google for apps which aim to support different TEEs such as Intel SGX and AMD SEV using a unified API.
Conference Paper
Full-text available
The next mobile generation, 5G, is expected to bring an enormous amount of new services and increased user experience. However adequate protection mechanisms for data and user privacy are required as this new technology will play a crucial role in society by connecting vertical industries like smart-grid, e-health, financial, transport and manufacturing. In this paper, we identify the most important privacy issues caused by the new technologies planned to use in 5G. We make a relation between these issues and the proposed objectives for privacy protection. Finally, we show how these objectives can be met by both a regulatory and technological approach. To this end, several technological solutions are identified
Article
Full-text available
The emergence of distributed ledger technology (DLT) based upon a blockchain data structure, has given rise to new approaches to identity management that aim to upend dominant approaches to providing and consuming digital identities. These new approaches to identity management (IdM) propose to enhance decentralisation, transparency and user control in transactions that involve identity information; but, given the historical challenge to design IdM, can these new DLT-based schemes deliver on their lofty goals? We introduce the emerging landscape of DLT-based IdM, and evaluate three representative proposals: uPort; ShoCard; and Sovrin; using the analytic lens of a seminal framework that characterises the nature of successful IdM schemes.
Article
The Software-defined Network (SDN) paradigm enables an efficient management of future networks by decoupling the control plane from the data plane. Specifically, network resources (e.g. switches or routers) only perform Internet Protocol (IP) packet forwarding in the data plane based on rules dictated by SDN controllers that implement the control plane. Despite the applicability of SDNs to manage network security is a hot topic, managing security associations using SDNs to protect data plane communications is not well covered in the literature. In this sense, the IP Security (IPsec) protocol is the standard to protect IP traffic at network level and it is foreseen a key element in the forthcoming 5G networks or Software-Defined WAN (SD-WAN). Traditionally, the IPsec operation is assisted by a key management protocol, such as the Internet Key Exchange (IKEv2), responsible for establishing IPsec Security Associations (IPsec SAs). Yet, manual configuration of IKEv2 is still required, which does not scale when the number of IPsec entities is high. In this paper we propose a solution to manage IPsec SAs using SDNs avoiding manual configuration in the network resources and enabling a reduced involvement of network administrators. We present two different cases, IKE case and IKE-less case, balancing between the participation of the SDN controller in the IPsec management and the complexity of the network resource. We provide a comprehensive explanation and deep analysis of the solution, which is undergoing standardization at the Internet Engineering Task Force (IETF), describing the interfaces, the operation and security aspects. Finally, we include a simple but significative performance analysis of both cases and a proof-of-concept implementation of the proposal.
Article
Recently, many academic institutions and standardization organizations have conducted research on vehicular communications based on LTE or 5G. As the most important standardization organization of cellular systems, the 3rd Generation Partnership Project (3GPP) has been developing the standard supporting vehicle-to-everything (V2X) services based on LTE, and has already prepared the roadmap toward 5G-based V2X services. With the emergence of new technologies and applications, such as connected autonomous vehicles, 5G-enabled vehicular networks face a variety of security and privacy challenges, which have not been fully investigated. In this article, we first present the infrastructure of 5G-enabled vehicular networks. Then the essential security and privacy aspects of V2X in LTE specified by 3GPP are introduced. After that, as a case study, we investigate the security and privacy issues of a 5G-enabled autonomous platoon, and propose several candidate solutions, including secure group setup with privacy preservation, distributed group key management, and cooperative message authentication. Finally, we discuss the security and privacy challenges in 5G-enabled vehicular networks.
Article
The ever-increasing demands of vehicular networks pose significant challenges such as availability, computation complexity, security, trust, authentication, etc. This becomes even more complicated for high-speed moving vehicles. As a result, increasing the capacity of these networks has been attracting considerable awareness. In this regard, the next generation of cellular networks, 5G, is expected to be a promising solution enabling high data rates, capacity, and quality of service (QoS) as well as low latency communications. However, 5G networks still face challenges in providing ubiquitous and reliable connections among high speed vehicles. Thus, to overcome the gaps in the existing solutions, we propose an SDN based consolidated framework providing end-to-end security and privacy in 5G enabled vehicular networks. The framework simplifies network management through SDN, while achieving optimized network communications. It operates in two phases: (1) An ECC based authentication protocol is proposed to mutually authenticate the cluster heads and certificate authority in SDN based vehicular setups, and (2) An intrusion detection module supported by tensor based dimensionality reduction is designed to reduce the computational complexity and identify the potential intrusions in the network. In order to assess the performance of the proposed framework, an extensive evaluation is performed on 3 simulators; NS3, SUMO, and SPAN. To harness the potential benefits of the proposed model, the first module, is evaluated on the basis of security features, whereas the second module is evaluated, and compared with the existing state-of-the-art models, on the basis of detection rate, false positive rate, accuracy, detection time and communication overhead. The simulation results indicate the superiority of the proposed framework as compared to the existing models.
Article
Multi-access Edge Computing (MEC) is an emerging ecosystem, which aims at converging telecommunication and IT services, providing a cloud computing platform at the edge of the Radio Access Network (RAN). MEC offers storage and computational resources at the edge, reducing latency for mobile end users and utilizing more efficiently the mobile backhaul and core networks. This paper introduces a survey on MEC and focuses on the fundamental key enabling technologies. It elaborates MEC orchestration considering both individual services and a network of MEC platforms supporting mobility, bringing light into the different orchestration deployment options. In addition, this paper analyzes the MEC reference architecture and main deployment scenarios, which offer multi-tenancy support for application developers, content providers and third parties. Finally, this paper overviews the current standardization activities and elaborates further on open research challenges.
Article
A common practice is applying security after a network has been designed or developed. We have the opportunity of not committing this error in vehicular networks. Apart from particular works in the literature, ETSI TC ITS has defined general security services for (vehicular) cooperative systems. However, existent efforts do not pay the needed attention to the integration of IPv6 yet. The potential of IPv6 in the field is being described within ISO TC 204, above all, but further work is needed for a proper integration of security. This work follows this direction, and a reference vehicular communication architecture considering ETSI/ISO regulations, uses Internet Protocol security (IPsec) and Internet Key Exchange version 2 (IKEv2) to secure IPv6 Network Mobility (NEMO). A key advance is also the implementation and experimental evaluation of the proposal in a challenging vertical handover scenario between 3G and 802.11p. The performance of the secured NEMO channel is widely analyzed in terms of the movement speed, bandwidth, traffic type or signal quality, and it is concluded that the addition of IPv6 security only implies a slight reduction in the overall performance, with the great advantage of providing confidentiality, integrity and authenticity to the communication path.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Official Journal of the European Union, L 119(1):1-88, 2016.