Commission Implementing Regulation (EU) 2016/799Show full title

9.KEYS AND CERTIFICATESU.K.

9.1. Asymmetric Key Pairs and Public Key Certificates U.K.

9.1.1 General U.K.

Note: the keys described in this section are used for mutual authentication and secure messaging between vehicle units and tachograph cards and between vehicle units and external GNSS facilities. These processes are described in detail in chapters 10 and 11 of this Appendix.U.K.

CSM_51Within the European Smart Tachograph system, ECC key pairs and corresponding certificates shall be generated and managed through three functional hierarchical levels:U.K.

• European level,

• Member State level,

• Equipment level.

CSM_52Within the entire European Smart Tachograph system, public and private keys and certificates shall be generated, managed and communicated using standardized and secure methods.U.K.

9.1.2 European Level U.K.

CSM_53At European level, a single unique ECC key pair designated as EUR shall be generated. It shall consist of a private key (EUR.SK) and a public key (EUR.PK). This key pair shall form the root key pair of the entire European Smart Tachograph PKI. This task shall be handled by a European Root Certificate Authority (ERCA), under the authority and responsibility of the European Commission.U.K.

CSM_54The ERCA shall use the European private key to sign a (self-signed) root certificate of the European public key, and shall communicate this European root certificate to all Member States.U.K.

CSM_55The ERCA shall use the European private key to sign the certificates of the Member States public keys upon request. The ERCA shall keep records of all signed Member State public key certificates.U.K.

CSM_56As shown in Figure 1 in section 9.1.7, the ERCA shall generate a new European root key pair every 17 years. Whenever the ERCA generates a new European root key pair, it shall create a new self-signed root certificate for the new European public key. The validity period of a European root certificate shall be 34 years plus 3 months.U.K.

Note: The introduction of a new root key pair also implies that ERCA will generate a new motion sensor master key and a new DSRC master key, see sections 9.2.1.2 and 9.2.2.2.U.K.

CSM_57Before generating a new European root key pair, the ERCA shall conduct an analysis of the cryptographic strength that is needed for the new key pair, given it should stay secure for the next 34 years. If found necessary, the ERCA shall switch to a cipher suite that is stronger than the current one, as specified in CSM_50.U.K.

[F1CSM_58 Whenever it generates a new European root key pair, the ERCA shall create a link certificate for the new European public key and sign it with the previous European private key. The validity period of the link certificate shall be 17 years plus 3 months. This is shown in Figure 1 in section 9.1.7 as well.] U.K.

Note: Since a link certificate contains the ERCA generation X public key and is signed with the ERCA generation X-1 private key, a link certificate offers equipment issued under generation X-1 a method to trust equipment issued under generation X.U.K.

CSM_59The ERCA shall not use the private key of a root key pair for any purpose after the moment a new root key certificate becomes valid.U.K.

CSM_60At any moment in time, the ERCA shall dispose of the following cryptographic keys and certificates:U.K.

• The current EUR key pair and corresponding certificate

• All previous EUR certificates to be used for the verification of MSCA certificates that are still valid

• Link certificates for all generations of EUR certificates except the first one

9.1.3 Member State Level U.K.

CSM_61At Member State level, all Member States required to sign tachograph card certificates shall generate one or more unique ECC key pairs designated as MSCA_Card. All Member States required to sign certificates for vehicle units or external GNSS facilities shall additionally generate one or more unique ECC key pairs designated as MSCA_VU-EGF.U.K.

CSM_62The task of generating Member State key pairs shall be handled by a Member State Certificate Authority (MSCA). Whenever a MSCA generates a Member State key pair, it shall send the public key to the ERCA in order to obtain a corresponding Member State certificate signed by the ERCA.U.K.

CSM_63An MSCA shall choose the strength of a Member State key pair equal to the strength of the European root key pair used to sign the corresponding Member State certificate.U.K.

CSM_64An MSCA_VU-EGF key pair, if present, shall consist of private key MSCA_VU-EGF.SK and public key MSCA_VU-EGF.PK. An MSCA shall use the MSCA_VU-EGF.SK private key exclusively to sign the public key certificates of vehicle units and external GNSS facilities.U.K.

CSM_65An MSCA_Card key pair shall consist of private key MSCA_Card.SK and public key MSCA_Card.PK. An MSCA shall use the MSCA_Card.SK private key exclusively to sign the public key certificates of tachograph cards.U.K.

CSM_66An MSCA shall keep records of all signed VU certificates, external GNSS facility certificates and card certificates, together with the identification of the equipment for which each certificate is intended.U.K.

CSM_67The validity period of an MSCA_VU-EGF certificate shall be 17 years plus 3 months. The validity period of an MSCA_Card certificate shall be 7 years plus 1 month.U.K.

CSM_68As shown in Figure 1 in section 9.1.7, the private key of a MSCA_VU-EGF key pair and the private key of a MSCA_Card key pair shall have a key usage period of two years.U.K.

CSM_69An MSCA shall not use the private key of an MSCA_VU-EGF key pair for any purpose after the moment its usage period has ended. Neither shall an MSCA use the private key of an MSCA_Card key pair for any purpose after the moment its usage period has ended.U.K.

CSM_70At any moment in time, an MSCA shall dispose of the following cryptographic keys and certificates:U.K.

• The current MSCA_Card key pair and corresponding certificate

• All previous MSCA_Card certificates to be used for the verification of the certificates of tachograph cards that are still valid

• The current EUR certificate necessary for the verification of the current MSCA certificate

• All previous EUR certificates necessary for the verification of all MSCA certificates that are still valid

CSM_71If an MSCA is required to sign certificates for vehicle units or external GNSS facilities, it shall additionally dispose of the following keys and certificates:U.K.

• The current MSCA_VU-EGF key pair and corresponding certificate

• All previous MSCA_VU-EGF public keys to be used for the verification of the certificates of VUs or external GNSS facilities that are still valid

9.1.4 Equipment Level: Vehicle Units U.K.

[F1CSM_72 Two unique ECC key pairs shall be generated for each vehicle unit, designated as VU_MA and VU_Sign. This task is handled by VU manufacturers. Whenever a VU key pair is generated, the party generating the key shall send the public key to its MSCA, in order to obtain a corresponding VU certificate signed by the MSCA. The private key shall be used only by the vehicle unit.] U.K.

CSM_73The VU_MA and VU_Sign certificates of a given vehicle unit shall have the same Certificate Effective Date.U.K.

CSM_74A VU manufacturer shall choose the strength of a VU key pair equal to the strength of the MSCA key pair used to sign the corresponding VU certificate.U.K.

CSM_75A vehicle unit shall use its VU_MA key pair, consisting of private key VU_MA.SK and public key VU_MA.PK, exclusively to perform VU Authentication towards tachograph cards and external GNSS facilities, as specified in sections 10.3 and 11.4 of this Appendix.U.K.

CSM_76A vehicle unit shall be capable of generating ephemeral ECC key pairs and shall use an ephemeral key pair exclusively to perform session key agreement with a tachograph card or external GNSS facility, as specified in sections 10.4 and 11.4 of this Appendix.U.K.

CSM_77A vehicle unit shall use the private key VU_Sign.SK of its VU_Sign key pair exclusively to sign downloaded data files, as specified in chapter 14 of this Appendix. The corresponding public key VU_Sign.PK shall be used exclusively to verify signatures created by the vehicle unit.U.K.

CSM_78As shown in Figure 1 in section 9.1.7, the validity period of a VU_MA certificate shall be 15 years and 3 months. The validity period of a VU_Sign certificate shall also be 15 years and 3 months.U.K.

Notes: U.K.

—The extended validity period of a VU_Sign certificate allows a Vehicle Unit to create valid signatures over downloaded data during the first three months after it has expired, as required in Regulation (EU) No 581/2010.U.K.

—The extended validity period of a VU_MA certificate is needed to allow the VU to authenticate to a control card or a company card during the first three months after it has expired, such that is it possible to perform a data download.U.K.

CSM_79A vehicle unit shall not use the private key of a VU key pair for any purpose after the corresponding certificate has expired.U.K.

CSM_80The VU key pairs (except ephemeral keys pairs) and corresponding certificates of a given vehicle unit shall not be replaced or renewed in the field once the vehicle unit has been put in operation.U.K.

Notes: U.K.

—Ephemeral key pairs are not included in this requirement, as a new ephemeral key pair is generated by a VU each time Chip Authentication and session key agreement is performed, see section 10.4. Note that ephemeral key pairs do not have corresponding certificates.U.K.

—This requirement does not forbid the possibility of replacing static VU key pairs during a refurbishment or repair in a secure environment controlled by the VU manufacturer.U.K.

CSM_81When put in operation, vehicle units shall contain the following cryptographic keys and certificates:U.K.

• The VU_MA private key and corresponding certificate

• The VU_Sign private key and corresponding certificate

• The MSCA_VU-EGF certificate containing the MSCA_VU-EGF.PK public key to be used for verification of the VU_MA certificate and VU_Sign certificate

• The EUR certificate containing the EUR.PK public key to be used for verification of the MSCA_VU-EGF certificate

• The EUR certificate whose validity period directly precedes the validity period of the EUR certificate to be used to verify the MSCA_VU-EGF certificate, if existing

• The link certificate linking these two EUR certificates, if existing

CSM_82In addition to the cryptographic keys and certificates listed in CSM_81, vehicle units shall also contain the keys and certificates specified in Part A of this Appendix, allowing a vehicle unit to interact with first-generation tachograph cards.U.K.

9.1.5 Equipment Level: Tachograph Cards U.K.

[F1CSM_83 One unique ECC key pair, designated as Card_MA, shall be generated for each tachograph card. A second unique ECC key pair, designated as Card_Sign, shall additionally be generated for each driver card and each workshop card. This task may be handled by card manufacturers or card personalisers. Whenever a card key pair is generated, the party generating the key shall send the public key to its MSCA, in order to obtain a corresponding card certificate signed by the MSCA. The private key shall be used only by the tachograph card.] U.K.

CSM_84The Card_MA and Card_Sign certificates of a given driver card or workshop card shall have the same Certificate Effective Date.U.K.

CSM_85A card manufacturer or card personaliser shall choose the strength of a card key pair equal to the strength of the MSCA key pair used to sign the corresponding card certificate.U.K.

CSM_86A tachograph card shall use its Card_MA key pair, consisting of private key Card_MA.SK and public key Card_MA.PK, exclusively to perform mutual authentication and session key agreement towards vehicle units, as specified in sections 10.3 and 10.4 of this Appendix.U.K.

CSM_87A driver card or workshop card shall use the private key Card_Sign.SK of its Card_Sign key pair exclusively to sign downloaded data files, as specified in chapter 14 of this Appendix. The corresponding public key Card_Sign.PK shall be used exclusively to verify signatures created by the card.U.K.

[F1CSM_88 The validity period of a Card_MA certificate shall be as follows: U.K.

• For driver cards: 5 years

• For company cards: 5 years

• For control cards: 2 years

• For workshop cards: 1 year]

CSM_89The validity period of a Card_Sign certificate shall be as follows:U.K.

Note: the extended validity period of a Card_Sign certificate allows a driver card to create valid signatures over downloaded data during the first month after it has expired. This is necessary in view of Regulation (EU) No 581/2010, which requires that a data download from a driver card must be possible up to 28 days after the last data has been recorded.U.K.

CSM_90The key pairs and corresponding certificates of a given tachograph card shall not be replaced or renewed once the card has been issued.U.K.

CSM_91When issued, tachograph cards shall contain the following cryptographic keys and certificates:U.K.

• The Card_MA private key and corresponding certificate

• For driver cards and workshop cards additionally: the Card_Sign private key and corresponding certificate

• The MSCA_Card certificate containing the MSCA_Card.PK public key to be used for verification of the Card_MA certificate and Card_Sign certificate

• The EUR certificate containing the EUR.PK public key to be used for verification of the MSCA_Card certificate.

• The EUR certificate whose validity period directly precedes the validity period of the EUR certificate to be used to verify the MSCA_Card certificate, if existing.

• The link certificate linking these two EUR certificates, if existing.

• [F2Additionally, for control cards, company cards and workshop cards only, and only if such cards are issued during the first three months of the validity period of a new EUR certificate: the EUR certificate that is two generations older, if existing.

Note to last bullet: For example, in the first three months of the ERCA(3) certificate (see Figure 1), the mentioned cards shall contain the ERCA(1) certificate. This is needed to ensure that these cards can be used to perform data downloads from ERCA(1) VUs whose normal 15-year life period plus the 3-months data downloading period expires during these months; see the last bullet of requirement 13) in Annex IC.] U.K.

CSM_92In addition to the cryptographic keys and certificates listed in CSM_91, tachograph cards shall also contain the keys and certificates specified in Part A of this Appendix, allowing these cards to interact with first-generation VUs.U.K.

9.1.6 Equipment Level: External GNSS Facilities U.K.

[F1CSM_93 One unique ECC key pair shall be generated for each external GNSS facility, designated as EGF_MA. This task is handled by external GNSS facility manufacturers. Whenever an EGF_MA key pair is generated, the party generating th e key shall send the public key to its MSCA in order to obtain a corresponding EGF_MA certificate signed by the MSCA. The private key shall be used only by the external GNSS facility.] U.K.

CSM_94An EGF manufacturer shall choose the strength of an EGF_MA key pair equal to the strength of the MSCA key pair used to sign the corresponding EGF_MA certificate.U.K.

[F1CSM_95 An external GNSS facility shall use its EGF_MA key pair, consisting of private key EGF_MA.SK and public key EGF_MA.PK, exclusively to perform mutual authentication and session key agreement towards vehicle units, as specified in section 11.4 of this Appendix.] U.K.

CSM_96The validity period of an EGF_MA certificate shall be 15 years.U.K.

CSM_97An external GNSS facility shall not use the private key of its EGF_MA key pair for coupling to a vehicle unit after the corresponding certificate has expired.U.K.

Note: as explained in section 11.3.3, an EGF may potentially use its private key for mutual authentication towards the VU it is already coupled to, even after the corresponding certificate has expired.U.K.

CSM_98The EGF_MA key pair and corresponding certificate of a given external GNSS facility shall not be replaced or renewed in the field once the EGF has been put in operation.U.K.

Note: This requirement does not forbid the possibility of replacing EGF key pairs during a refurbishment or repair in a secure environment controlled by the EGF manufacturer.U.K.

CSM_99When put in operation, an external GNSS facility shall contain the following cryptographic keys and certificates:U.K.

• The EGF_MA private key and corresponding certificate

• The MSCA_VU-EGF certificate containing the MSCA_VU-EGF.PK public key to be used for verification of the EGF_MA certificate

• The EUR certificate containing the EUR.PK public key to be used for verification of the MSCA_VU-EGF certificate

• The EUR certificate whose validity period directly precedes the validity period of the EUR certificate to be used to verify the MSCA_VU-EGF certificate, if existing

• The link certificate linking these two EUR certificates, if existing

9.1.7 Overview: Certificate Replacement U.K.

Figure 1 below shows how different generations of ERCA root certificates, ERCA link certificates, MSCA certificates and equipment (VU and card) certificates are issued and used over time:

[F1Figure 1 Issuance and usage of different generations of ERCA root certificates, ERCA link certificates, MSCA certificates and equipment certificates] U.K.

Notes to Figure 1: U.K.

1.Different generations of the root certificate are indicated by a number in brackets. E.g. ERCA (1) is the first generation of ERCA root certificate; ERCA (2) is the second generation, etc.U.K.

2.Other certificates are indicated by two numbers in brackets, the first one indicating the root certificate generation under which they are issued, the second one the generation of the certificate itself. E.g. MSCA_Card (1-1) is the first MSCA_Card certificate issued under ERCA (1); MSCA_Card (2-1) is the first MSCA_Card certificate issued under ERCA (2); MSCA_Card (2-last) is the last MSCA_Card certificate issued under ERCA (2); Card_MA(2-1) is the first Card certificate for mutual authentication that is issued under ERCA (2), etc.U.K.

3.The MSCA_Card (2-1) and MSCA_Card (1-last) certificates are issued at almost but not exactly the same date. MSCA_Card (2-1) is the first MSCA_Card certificate issued under ERCA (2) and will be issued slightly later than MSCA_Card (1-last), the last MSCA_Card certificate under ERCA (1).U.K.

4.As shown in the figure, the first VU and Card certificates issued under ERCA (2) will appear almost two years before the last VU and Card certificates issued under ERCA (1) will appear. This is because of the fact that VU and Card certificates are issued under an MSCA certificate, not directly under the ERCA certificate. The MSCA (2-1) certificate will be issued directly after ERCA (2) becomes valid, but the MSCA (1-last) certificate will be issued only slightly before that time, at the last moment the ERCA (1) certificate is still valid. Therefore, these two MSCA certificates will have almost the same validity period, despite the fact that they are of different generations.U.K.

5.The validity period shown for cards is the one for driver cards (5 years).U.K.

[F16. To save space, the difference in validity period between the Card_MA and Card_Sign certificates is shown only for the first generation.] U.K.

9.2. Symmetric Keys U.K.

9.2.1 Keys for Securing VU — Motion Sensor Communication U.K.

9.2.1.1 General U.K.

Note: readers of this section are supposed to be familiar with the contents of [ISO 16844-3] describing the interface between a vehicle unit and a motion sensor. The pairing process between a VU and a motion sensor is described in detail in chapter 12 of this Appendix.U.K.

CSM_100A number of symmetric keys is needed for pairing vehicle units and motion sensors, for mutual authentication between vehicle units and motion sensors and for encrypting communication between vehicle units and motion sensors, as shown in Table 3. All of these keys shall be AES keys, with a key length equal to the length of the motion sensor master key, which shall be linked to the length of the (foreseen) European root key pair as described in CSM_50.U.K.

CSM_101The European Root Certificate Authority shall generate K_M-VU and K_M-WC, two random and unique AES keys from which the motion sensor master key K_M can be calculated as K_M-VU XOR K_M-WC. The ERCA shall communicate K_M, K_M-VU and K_M-WC to Member State Certificate Authorities upon their request.U.K.

CSM_102The ERCA shall assign to each motion sensor master key K_M a unique version number, which shall also be applicable for the constituting keys K_M-VU and K_M-WC and for the related identification key K_ID. The ERCA shall inform the MSCAs about the version number when sending K_M-VU and K_M-WC to them.U.K.

Note: The version number is used to distinguish different generations of these keys, as explained in detail in section 9.2.1.2.U.K.

CSM_103A Member State Certificate Authority shall forward K_M-VU, together with its version number, to vehicle unit manufacturers upon their request. The VU manufacturers shall insert K_M-VU and its version number in all manufactured VUs.U.K.

CSM_104A Member State Certificate Authority shall ensure that K_M-WC, together with its version number, is inserted in every workshop card issued under its responsibility.U.K.

Notes: U.K.

—See the description of data type in Appendix 2.U.K.

—as explained in section 9.2.1.2, in fact multiple generations of K_M-WC may have to be inserted in a single workshop card.U.K.

CSM_105In addition to the AES key specified in CSM_104, a MSCA shall ensure that the TDES key Km_WC, specified in requirement CSM_037 in Part A of this Appendix, is inserted in every workshop card issued under its responsibility.U.K.

Notes: U.K.

—This allows a second-generation workshop card to be used for coupling a first-generation VU.U.K.

—A second-generation workshop card will contain two different applications, one complying with Part B of this Appendix and one complying with Part A. The latter will contain the TDES key Km_WC.U.K.

CSM_106An MSCA involved in issuing motion sensors shall derive the identification key from the motion sensor master key by XORing it with a constant vector CV. The value of CV shall be as follows:U.K.

• [F1For 128-bit motion sensor master keys: CV = ‘ B6 44 2C 45 0E F8 D3 62 0B 7A 8A 97 91 E4 5D 83 ’]

• For 192-bit motion sensor master keys: CV = ‘72 AD EA FA 00 BB F4 EE F4 99 15 70 5B 7E EE BB 1C 54 ED 46 8B 0E F8 25’

• For 256-bit motion sensor master keys: CV = ‘1D 74 DB F0 34 C7 37 2F 65 55 DE D5 DC D1 9A C3 23 D6 A6 25 64 CD BE 2D 42 0D 85 D2 32 63 AD 60’

Note: the constant vectors have been generated as follows:U.K.

• Pi_10 = first 10 bytes of the decimal portion of the mathematical constant π = ‘24 3F 6A 88 85 A3 08 D3 13 19’

• CV_128-bits = first 16 bytes of SHA-256(Pi_10)

• CV_192-bits = first 24 bytes of SHA-384(Pi_10)

• CV_256-bits = first 32 bytes of SHA-512(Pi_10)

CSM_107 [F1Each Motion sensor manufacturer shall generate a random and unique pairing key K _P for every motion sensor, and shall send each pairing key to its Member State Certificate Authority. The MSCA shall encrypt each pairing key separately with the motion sensor master key K _M and shall return the encrypted key to the motion sensor manufacturer. For each encrypted key, the MSCA shall notify the motion sensor manufacturer of the version number of the associated K _M .] U.K.

Note: as explained in section 9.2.1.2, in fact a motion sensor manufacturer may have to generate multiple unique pairing keys for a single motion sensor.U.K.

[F1CSM_108 Each motion sensor manufacturer shall generate a unique serial number for every motion sensor, and shall send all serial numbers to its Member State Certificate Authority. The MSCA shall encrypt each serial number separately with the identification key K _ID and shall return the encrypted serial number to the motion sensor manufacturer. For each encrypted serial number, the MSCA shall notify the motion sensor manufacturer of the version number of the associated K _ID .] U.K.

CSM_109For requirements CSM_107 and CSM_108, the MSCA shall use the AES algorithm in the Cipher Block Chaining mode of operation, as defined in [ISO 10116], with an interleave parameter m = 1 and an initialization vector SV = ‘00’ {16}, i.e. sixteen bytes with binary value 0. When necessary, the MSCA shall use padding method 2 defined in [ISO 9797-1].U.K.

CSM_110The motion sensor manufacturer shall store the encrypted pairing key and the encrypted serial number in the intended motion sensor, together with the corresponding plain text values and the version number of K_M and K_ID used for encrypting.U.K.

Note: as explained in section 9.2.1.2, in fact a motion sensor manufacturer may have to insert multiple encrypted pairing keys and multiple encrypted serial numbers in a single motion sensor.U.K.

CSM_111In addition to the AES-based cryptographic material specified in CSM_110, a motion sensor manufacturer may also store in each motion sensor the TDES-based cryptographic material specified in requirement CSM_037 in Part A of this Appendix.U.K.

Note: doing so will allow a second-generation motion sensor to be coupled to a first-generation VU.U.K.

CSM_112The length of the session key K_S generated by a VU during the pairing to a motion sensor shall be linked to the length of its K_M-VU, as described in CSM_50.U.K.

9.2.1.2 Motion Sensor Master Key Replacement in Second-Generation Equipment U.K.

CSM_113Each motion sensor master key and all related keys (see Table 3) is associated to a particular generation of the ERCA root key pair. These keys shall therefore be replaced every 17 years. The validity period of each motion sensor master key generation shall begin one year before the associated ERCA root key pair becomes valid and shall end when the associated ERCA root key pair expires. This is depicted in Figure 2.U.K.

CSM_114At least one year before generating a new European root key pair, as described in CSM_56, the ERCA shall generate a new motion sensor master key K_M by generating a new K_M-VU and K_M-WC. The length of the motion sensor master key shall be linked to the foreseen strength of the new European root key pair, according to CSM_50. The ERCA shall communicate the new K_M, K_M-VU and K_M-WC to the MSCAs upon their request, together with their version number.U.K.

CSM_115An MSCA shall ensure that all valid generations of K_M-WC are stored in every workshop card issued under its authority, together with their version numbers, as shown in Figure 2.U.K.

Note: this implies that in the last year of the validity period of an ERCA certificate, workshop cards will be issued with three different generations of K_M-WC, as shown in Figure 2.U.K.

CSM_116In relation to the process described in CSM_107 and CSM_108 above: An MSCA shall encrypt each pairing key K_P it receives from a motion sensor manufacturer separately with each valid generation of the motion sensor master key K_M. An MSCA shall also encrypt each serial number it receives from a motion sensor manufacturer separately with each valid generation of the identification key K_ID. A motion sensor manufacturer shall store all encryptions of the pairing key and all encryptions of the serial number in the intended motion sensor, together with the corresponding plain text values and the version number(s) of K_M and K_ID used for encrypting.U.K.

Note: This implies that in the last year of the validity period of an ERCA certificate, motion sensors will be issued with encrypted data based on three different generations of K_M, as shown in Figure 2.U.K.

CSM_117In relation to the process described in CSM_107 above: Since the length of the pairing key K_P shall be linked to the length of K_M (see CSM_100), a motion sensor manufacturer may have to generate up to three different pairing keys (of different lengths) for one motion sensor, in case subsequent generations of K_M have different lengths. In such a case, the manufacturer shall send each pairing key to the MSCA. The MSCA shall ensure that each pairing key is encrypted with the correct generation of the motion sensor master key, i.e. the one having the same length.U.K.

Note: In case the motion sensor manufacturer chooses to generate a TDES-based pairing key for a second-generation motion sensor (see CSM_111), the manufacturer shall indicate to the MSCA that the TDES-based motion sensor master key must be used for encrypting this pairing key. This is because the length of a TDES key may be equal to that of an AES key, so the MSCA cannot judge from the key length alone.U.K.

CSM_118Vehicle unit manufacturers shall insert only one generation of K_M-VU in each vehicle unit, together with its version number. This K_M-VU generation shall be linked to the ERCA certificate upon which the VU's certificates are based.U.K.

Notes: U.K.

—A vehicle unit based on the generation X ERCA certificate shall only contain the generation X K_M-VU, even if it is issued after the start of the validity period of the generation X+1 ERCA certificate. This is shown in Figure 2.U.K.

—A VU of generation X cannot be paired to a motion sensor of generation X-1.U.K.

—Since workshop cards have a validity period of one year, the result of CSM_113 — CSM_118 is that all workshop cards will contain the new K_M-WC at the moment the first VU containing the new K_M-VU is issued. Therefore, such a VU will always be able to calculate the new K_M. Moreover, by that time most new motion sensors will contain encrypted data based on the new K_M as well.U.K.

9.2.2 Keys for Securing DSRC Communication U.K.

9.2.2.1 General U.K.

CSM_119The authenticity and confidentiality of data communicated from a vehicle unit to a control authority over a DSRC remote communication channel shall be ensured by means of a set of VU-specific AES keys derived from a single DSRC master key, KM_DSRC.U.K.

CSM_120The DSRC master key KM_DSRC shall be an AES key that is securely generated, stored and distributed by the ERCA. The key length may be 128, 192 or 256 bits and shall be linked to the length of the European root key pair, as described in CSM_50.U.K.

CSM_121The ERCA shall communicate the DSRC master key to Member State Certificate Authorities upon their request in a secure manner, to allow them to derive VU-specific DSRC keys and to ensure that the DSRC master key is inserted in all control cards and workshop cards issued under their responsibility.U.K.

CSM_122The ERCA shall assign to each DSRC master key a unique version number. The ERCA shall inform the MSCAs about the version number when sending the DSRC master key to them.U.K.

Note: The version number is used to distinguish different generations of the DSRC master key, as explained in detail in section 9.2.2.2.U.K.

[F1CSM_123 For every vehicle unit, the vehicle unit manufacturer shall create a unique VU serial number and shall send this number to its Member State Certificate Authority in a request to obtain a set of two VU-specific DSRC keys. The VU serial number shall have data type . U.K.

Note: U.K.

• This VU serial number shall be identical to the vuSerialNumber element of VuIdentification, see Appendix 1 and to the Certificate Holder Reference in the VU’s certificates.

• The VU serial number may not be known at the moment a vehicle unit manufacturer requests the VU-specific DSRC keys. In this case, the VU manufacturer shall send instead the unique certificate request ID it used when requesting the VU’s certificates; see CSM_153. This certificate request ID shall therefore be equal to the Certificate Holder Reference in the VU’s certificates.]

CSM_124Upon receiving a request for VU-specific DSRC keys, the MSCA shall derive two AES keys for the vehicle unit, called K_VU_DSRC_ENC and K_VU_DSRC_MAC. These VU-specific keys shall have the same length as the DSRC master key. The MSCA shall use the key derivation function defined in [RFC 5869]. The hash function that is necessary to instantiate the HMAC-Hash function shall be linked to the length of the DSRC master key, as described in CSM_50. The key derivation function in [RFC 5869] shall be used as follows:U.K.

• Step 1 (Extract):

  • PRK = HMAC-Hash (salt, IKM) where salt is an empty string ‘’ and IKM is KM_DSRC.

• Step 2 (Expand):

  • OKM = T(1), where

    T(1) = HMAC-Hash (PRK, T(0) || info || ‘01’) with

    • T(0) = an empty string (‘’)

    • [F1info = VU serial number or certificate request ID, as specified in CSM_123]

  • K_VU_DSRC_ENC = first L octets of OKM and

    K_VU_DSRC_MAC = last L octets of OKM

    where L is the required length of K_VU_DSRC_ENC and K_VU_DSRC_MAC in octets.

CSM_125The MSCA shall distribute K_VU_DSRC_ENC and K_VU_DSRC_MAC to the VU manufacturer in a secure manner for insertion in the intended vehicle unit.U.K.

CSM_126When issued, a vehicle unit shall have stored K_VU_DSRC_ENC and K_VU_DSRC_MAC in its secure memory, in order to be able to ensure the integrity, authenticity and confidentiality of data sent over the remote communication channel. A vehicle unit shall also store the version number of the DSRC master key used to derive these VU-specific keys.U.K.

CSM_127When issued, control cards and workshop cards shall have stored KM_DSRC in their secure memory, in order to be able to verify the integrity and authenticity of data sent by a VU over the remote communication channel and to decrypt this data. Control cards and workshop cards shall also store the version number of the DSRC master key.U.K.

Note: as explained in section 9.2.2.2, in fact multiple generations of KM_DSRC may have to be inserted in a single workshop card or control card.U.K.

[F1CSM_128 The MSCA shall keep records of all VU-specific DSRC keys it generated, their version number and the VU serial number or certificate request ID used in deriving them.] U.K.

9.2.2.2 DSRC Master Key Replacement U.K.

CSM_129Each DSRC master key is associated to a particular generation of the ERCA root key pair. The ERCA shall therefore replace the DSRC master key every 17 years. The validity period of each DSRC master key generation shall begin two years before the associated ERCA root key pair becomes valid and shall end when the associated ERCA root key pair expires. This is depicted in Figure 3.U.K.

CSM_130At least two years before generating a new European root key pair, as described in CSM_56, the ERCA shall generate a new DSRC master key. The length of the DSRC key shall be linked to the foreseen strength of the new European root key pair, according to CSM_50. The ERCA shall communicate the new DSRC master key to the MSCAs upon their request, together with its version number.U.K.

CSM_131An MSCA shall ensure that all valid generations of KM_DSRC are stored in every control card issued under its authority, together with their version numbers, as shown in Figure 3.U.K.

Note: this implies that in the last two years of the validity period of an ERCA certificate, control cards will be issued with three different generations of KM_DSRC, as shown in Figure 3.U.K.

CSM_132An MSCA shall ensure that all generations of KM_DSRC that have been valid for at least a year and are still valid, are stored in every workshop card issued under its authority, together with their version numbers, as shown in Figure 3.U.K.

Note: this implies that in the last year of the validity period of an ERCA certificate, workshop cards will be issued with three different generations of KM_DSRC, as shown in Figure 3.U.K.

CSM_133Vehicle unit manufacturers shall insert only one set of VU-specific DSRC keys into each vehicle unit, together with its version number. This set of keys shall be derived from the KM_DSRC generation linked to the ERCA certificate upon which the VU's certificates are based.U.K.

Notes: U.K.

—This implies that a vehicle unit based on the generation X ERCA certificate shall only contain the generation X K_VU_DSRC_ENC and K_VU_DSRC_MAC_, even if the VU is issued after the start of the validity period of the generation X+1 ERCA certificate. This is shown in Figure 3.U.K.

—Since workshop cards have a validity period of one year and control cards of two years, the result of CSM_131 — CSM_133 is that all workshop cards and control cards will contain the new DSRC master key at the moment the first VU containing VU-specific keys based on that master key will be issued.U.K.

9.3. Certificates U.K.

9.3.1 General U.K.

CSM_134All certificates in the European Smart Tachograph system shall be self-descriptive, card-verifiable (CV) certificates according to [ISO 7816-4] and [ISO 7816-8].U.K.

CSM_135 [F1The Distinguished Encoding Rules (DER) according to [ISO 8825-1] shall be used to encode the data objects within certificates. Table 4 shows the full certificate encoding, including all tag and length bytes.] U.K.

Note: this encoding results in a Tag-Length-Value (TLV) structure as follows:U.K.

9.3.2 Certificate Content U.K.

CSM_136All certificates shall have the structure shown in the certificate profile in Table 4.U.K.

Note: the Field ID will be used in later sections of this Appendix to indicate individual fields of a certificate, e.g. X.CAR is the Certificate Authority Reference mentioned in the certificate of user X.U.K.

9.3.2.1Certificate Profile IdentifierU.K.

CSM_137Certificates shall use a Certificate Profile Identifier to indicate the certificate profile used. Version 1, as specified in Table 4, shall be identified by a value of ‘00’.U.K.

9.3.2.2Certificate Authority ReferenceU.K.

CSM_138The Certificate Authority Reference shall be used to identify the public key to be used to verify the certificate signature. The Certificate Authority Reference shall therefore be equal to the Certificate Holder Reference in the certificate of the corresponding certificate authority.U.K.

CSM_139An ERCA root certificate shall be self-signed, i.e., the Certificate Authority Reference and the Certificate Holder Reference in the certificate shall be equal.U.K.

CSM_140For an ERCA link certificate, the Certificate Holder Reference shall be equal to the CHR of the new ERCA root certificate. The Certificate Authority Reference for a link certificate shall be equal to the CHR of the previous ERCA root certificate.U.K.

9.3.2.3Certificate Holder AuthorisationU.K.

[F1CSM_141 The Certificate Holder Authorisation shall be used to identify the type of certificate. It consists of the six most significant bytes of the Tachograph Application ID, concatenated with the equipment type, which indicates the type of equipment for which the certificate is intended. In the case of a VU certificate, a driver card certificate or a workshop card certificate, the equipment type is also used to differentiate between a certificate for Mutual Authentication and a certificate for creating digital signatures (see section 9.1 and Appendix 1, data type EquipmentType).] U.K.

9.3.2.4Public KeyU.K.

The Public Key nests two data elements: the standardized domain parameters to be used with the public key in the certificate and the value of the public point.

CSM_142The data element Domain Parameters shall contain one of the object identifiers specified in Table 1 to reference a set of standardized domain parameters.U.K.

CSM_143The data element Public Point shall contain the public point. Elliptic curve public points shall be converted to octet strings as specified in [TR-03111]. The uncompressed encoding format shall be used. When recovering an elliptic curve point from its encoded format, the validations described in [TR-03111] shall always be carried out.U.K.

9.3.2.5Certificate Holder ReferenceU.K.

CSM_144The Certificate Holder Reference is an identifier for the public key provided in the certificate. It shall be used to reference this public key in other certificates.U.K.

CSM_145For card certificates and external GNSS facility certificates, the Certificate Holder Reference shall have the data type specified in Appendix 1.U.K.

CSM_146For vehicle units, the manufacturer, when requesting a certificate, may or may not know the manufacturer-specific serial number of the VU for which that certificate and the associated private key is intended. In the first case, the Certificate Holder Reference shall have the data type specified in Appendix 1. In the latter case, the Certificate Holder Reference shall have the data type specified in Appendix 1.U.K.

[F2Note: For a card certificate, the value of the CHR shall be equal to the value of the cardExtendedSerialNumber in EF_ICC; see Appendix 2. For an EGF certificate, the value of the CHR shall be equal to the value of the sensorGNSSSerialNumber in EF_ICC; see Appendix 14. For a VU certificate, the value of the CHR shall be equal to the vuSerialNumber element of VuIdentification, see Appendix 1, unless the manufacturer does not know the manufacturer-specific serial number at the time the certificate is requested.] U.K.

CSM_147For ERCA and MSCA certificates, the Certificate Holder Reference shall have the data type specified in Appendix 1.U.K.

9.3.2.6Certificate Effective DateU.K.

[F1CSM_148 The Certificate Effective Date shall indicate the starting date and time of the validity period of the certificate.] U.K.

9.3.2.7Certificate Expiration DateU.K.

CSM_149The Certificate Expiration Date shall indicate the end date and time of the validity period of the certificate.U.K.

9.3.2.8Certificate SignatureU.K.

CSM_150The signature on the certificate shall be created over the encoded certificate body, including the certificate body tag and length. The signature algorithm shall be ECDSA, as specified in [DSS], using the hashing algorithm linked to the key size of the signing authority, as specified in CSM_50. The signature format shall be plain, as specified in [TR-03111].U.K.

9.3.3 Requesting Certificates U.K.

CSM_151 [F1When requesting a certificate, an MSCA shall send the following data to the ERCA:] U.K.

• The Certificate Profile Identifier of the requested certificate

• The Certificate Authority Reference expected to be used for signing the certificate.

• The Public Key to be signed

CSM_152In addition to the data in CSM_151, an MSCA shall send the following data in a certificate request to the ERCA, allowing the ERCA to create the Certificate Holder Reference of the new MSCA certificate:U.K.

• The numerical nation code of the Certification Authority (data type defined in Appendix 1)

• The alphanumerical nation code of the Certification Authority (data type defined in Appendix 1)

• The 1-byte serial number to distinguish the different keys of the Certification Authority in the case keys are changed

• The two-byte field containing Certification Authority specific additional info

[F1CSM_153 An equipment manufacturer shall send the following data in a certificate request to an MSCA, allowing the MSCA to create the Certificate Holder Reference of the new equipment certificate: U.K.

• If known (see CSM_154), a serial number for the equipment, unique for the manufacturer, the equipment's type and the month of manufacturing. Otherwise, a unique certificate request identifier.

• The month and the year of equipment manufacturing or of the certificate request.

The manufacturer shall ensure that this data is correct and that the certificate returned by the MSCA is inserted in the intended equipment.]

CSM_154In the case of a VU, the manufacturer, when requesting a certificate, may or may not know the manufacturer-specific serial number of the VU for which that certificate and the associated private key is intended. If known, the VU manufacturer shall send the serial number to the MSCA. If not known, the manufacturer shall uniquely identify each certificate request and send this certificate request serial number to the MSCA. The resulting certificate will then contain the certificate request serial number. After inserting the certificate in a specific VU, the manufacturer shall communicate the connection between the certificate request serial number and the VU identification to the MSCA.U.K.