vehicle key management status of standardization · 2018-11-15 · u vehicle key management != key...

V2.01.00 | 2016-05-09

Webinar

Vehicle Key Management – Status of Standardization

2

u Importance of cryptographic material

Vehicle key management != key storage

Challenges for standardization

Example: Initial keying at OEM for SecOC

Status of standardization

Summary

Agenda

3

Cryptographic keys are the foundation for technical security mechanisms

Importance of cryptographic material

Connectivity Gateway

CU

Instrument

ClusterDSRC

4G LTE

Laptop

Tablet

Smart-phone

Central Gateway

ADAS DC

Smart Charging

Powertrain DC

ChassisDC

BodyDC

Head Unit

Diagnostic Interface

u For security reasons different keys are used for different security related use cases, e.g.

u Secure flashing of ECUs (a.k.a code signing, secure reprogramming)

u Secure boot of ECUs

u Diagnostic access control

u Secured communication between the ECUs of a vehicle (e.g. via SECOC)

u Secure communication from the ECU to external services (e.g. via TLS)

u SW update over the air (SOTA)

u Remote feature activation

u Component theft protection

u Immobilizer

u Mobile online services

u …

u The affected ECUs require a considerable number of cryptographic keys

4

Importance of cryptographic material

u Vehicle key management != key storage

Challenges for standardization

Example: Initial keying at OEM for SecOC

Status of standardization

Summary

Agenda

5

Vehicle key management in a layered security concept

Vehicle key management != key storage

Secure External Communication

Secure Gateways

Secure In-Vehicle Communication

Secure Platform

u Secure communication to services outside the vehicle

u Intrusion detection mechanisms

u Diagnostic policy manager

u Vehicle key management

u Security event memory

u Authentic synchronized time

u Authenticity of messages

u Integrity and freshness of messages

u Confidentiality of messages

u Key storage

u Secure boot and secure flash

u Crypto library

u HW trust anchor (HTA)

Security concepts

6

Key storage

Vehicle key management != key storage

u Goal:

u Securely store cryptographic keys

u Basic functions and key aspects:

u Take a cryptograhic key from the application

u Securely store it in NVM or hardware trust anchor of ECU

u Supported by the crypto stack (CSM, CRYIF, CRYPTO)

u Configuration of key structures via key elements

Microcontroller

RTE

CRYPTO

CAN

COM

ETH

MCAL

DIAG

CSM

CRYPTO (HW)

CRYIF

CRYPTO (SW)

ApplicationApp

SYS

HSM

7

Vehicle key management in the AUTOSAR architecture

Vehicle key management != key storage

u Goal:

u Simplifies typical and common key lifecyclemanagement tasks

u Basic functions:

u Receives new cryptographic material (keys, certificates) via diagnostic routines

u Verifies authenticity, integrity and freshness of cryptographic material

u Provides callouts to integrate with business logic for different typical key lifecycle phases (production, initialization, update, repair, replacement)

u Supports on board derivation of new keys

u Supports secure distribution of shared secret keys

u Logs security events to security event memory (SEM)

Microcontroller

RTE

CRYPTO

CAN

COM

ETH

MCAL

DIAG

CSM

CRYPTO (HW)

CRYIF

CRYPTO (SW)

ApplicationApp

SYS

KEYM

SEM

HSM

DCM

8

Importance of cryptographic material

Vehicle key management != key storage

u Challenges for standardization

Example: Initial keying at OEM for SecOC

Status of standardization

Summary

Agenda

9

Production of the ECU

u Insertion of initial keys

Key lifecycle phases

Challenges for standardization

Aftersales

u Keys can be replaced if they have become compromised

u Keys can be renewed after a certain time to improve security

u Additional keys can be inserted for new use cases

u Replaced ECUs can get appropriate keys to participate in secure vehicle communication

End of line programming

u Replacement of initial keys by OEM specific master keys

u Insertion of additional keys

u On board derivation of further keys

u Secure distribution of keys in the vehicle network

10

Variation points for technical solution

Challenges for standardization

u Development-, production-, after sales processes @ Tier1 & OEM

u Existing backend key management processes and IT infrastructure (e.g. PKI)

u Security goals (based on assumptions about the security of the development / production / service environment)

u Performance goals (based on end of line programming requirements)

u Vehicle security architecture / vehicle key management paradigm (centralized / decentralized)

u Current situation: Vector provides proprietary vehicle key management solutions to support a large number of different OEMs

u Goal for standardization: find right level of abstraction

u to provide added value compared to proprietary solutions

u Support known OEM specifics via configuration and extension interfaces

11

Importance of cryptographic material

Vehicle key management != key storage

Challenges for standardization

u Example: Initial keying at OEM for SecOC

Status of standardization

Summary

Agenda

12

Scenario 1: Off-board (backend) key generation

Example: Initial keying at OEM for SecOC

Diagnostic Tester KEYM KEYM

u Diagnostic Tester provides backend generated keys toeach node

u Key managers are limited to validatingbackend generated SECOC keys via

u SHE1.1 key update protocol or

u OEM specific key update containers

13

Scenario 2: On-board key derivation with coordinator

Example: Initial keying at OEM for SecOC

Diagnostic Tester KEYM (Server) KEYM (Clients)

u DiagnosticTester triggersSecOC keying

u On-board KEYM servercreates and storesvehicle specific secret

u On-board KEYM servercoordinates securedistribution of secret toclients (e.g. via Diffie-Hellman)

u KEYM clients use secret and key derivation function tosecurely derive SecOC keys

14

Scenario 3: On-board key generation without coordinator

Example: Initial keying at OEM for SecOC

Diagnostic Tester KEYM KEYM

u Diagnostic Tester triggers SecOCkeying

u No dedicated KEYM server whichcoordinates key negotiation (completlydecentralized)

u Group of ECUs participates in negotiation of shared secret (e.g. via Burmester-Desmedt )

u Participating nodes derive SecOC keysfrom shared secret

15

Importance of cryptographic material

Vehicle key management != key storage

Challenges for standardization

Example: Initial keying at OEM for SecOC

u Status of standardization

Summary

Agenda

16

Vehicle key management in a layered security concept

Status of standardization

Secure External Communication

Secure Gateways

Secure In-Vehicle

Communication

Secure Platform

u Secure communication to services outside the vehicle (TLS)

u Intrusion detection mechanisms

u Diagnostic policy manager

u Vehicle key management

u Security event memory

u Authentic synchronized time

u Authenticity of messages

u Integrity and freshness of messages

u Confidentiality of messages

u Key storage

u Secure boot and secure flash

u Crypto library

u HW trust anchor (HTA)

Security Concepts

AU CCAUTOSAR4.4

CCSecOC

CCSHE, HSM, CCTPM, TEE,…

CCCSM / CCCRYIF / CCCRYPTO

Standard

CCSecurityCCExtensionsCCAUTOSAR4.4

17

u C1: Security Event Memory

u C2: Vehicle Key Management / Key Distribution

u C3: Secure Boot Status (dropped)

u C4: Authentic Synchronized Time

u C5: Dynamic Rights Management for Diagnostic Access

u C6: Improved Certificate Handling (integrated in C2)

u C7: Abstract pre-definition of Crypto Items in System Template (improves AUTOSAR tooling support for security)

AUTOSAR 4.4 Security Extensions

Status of standardization

18

Timeline 2018

Status of standardization

19

Importance of cryptographic material

Vehicle key management != key storage

Challenges for standardization

Example: Initial keying at OEM for SecOC

Status of standardization

u Summary

Agenda

20

u Vehicle key management != key storage

u Secure management of cryptographic keys in all lifecycle phases adds an important layer of security

u Standardization has a lot of potential for cost saving but is challenging due to OEM specifics

u Vector provides OEM specific key management implementations for a number of OEMs

u AUTOSAR 4.4 Security Extensions provide KEYM module as a framework for vehicle key management

Outlook:

u Security Extensions will be continued in AUTOSAR 4.5

Important points

Summary

21 © 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V2.01.00 | 2016-05-09

For more information about Vectorand our products please visit

www.vector.com

Author:

Dr. Eduard Metzker

Vector Informatik GmbH