secure smartphone-based registration and key · pdf filemultiple communication channels (v2c,...

Secure Smartphone-based Registration and Key Deploy-ment for Vehicle-to-Cloud CommunicationsWorkshop on Security, Privacy and Dependability for Cyber Vehi-cles (CyCAR)Julian Timpner, Dominik Schürmann, Lars Wolf, 4. November 2013

Institute of Operating Systemsand Computer Networks

Motivation Authentication and Authorization Vehicle Registration Key Deployment Conclusion

Motivation

V-ChargeAutonomous valet parking with e-mobilityElectric vehicles, equipped with affordable sensor systemsNo Internet access on vehicles (parking garage)

ChallengesMinimum of infrastructure (DTN)Efficiently using charging resourcesMultiple communication channels(V2C, Web, mobile)

Charging Station

ParkingManagerDrop-off/

Check-in{

4. November 2013 Julian Timpner, Dominik Schürmann, Lars Wolf Secure Smartphone-based Registration and Key Deployment for Vehicle-to-Cloud Communications Institute of Operating Systems

and Computer Networks


This Talk

Security ChallengesVehicle registration process independently of OEMsKey generation and deployment, while minimizing trust in centralauthorities

Secure smartphone-based registration and key deploymentFramework can be used by vehicle owners at any timeKey generation solely done by vehicle owner on a mobile deviceVehicle registration on mobile device based on well-researched PKINo proprietary protocols involved




requestToken(email, password)

〈refresh_token, access_token〉

generate 〈pkv, skv〉,CSRv

verify(access_token)

validity status

Process CSRand generate signed certv

requestCertificates(access_token,CSRv)

〈certv, certca〉

deploy(skv, certv, certca)

acknowledge deployment

delete securely〈skv, certv, certca〉

secure DTN

d:Mobile Device v:Vehicle p:ParkingManager ca:DTN CA auth:Authorization Server




Smartphone-to-Cloud: Authentication/Authorization

RequirementsDon’t store account passwords on device (protection against theft)Easy revocation of devices (recovery after theft)Don’t force users to repeatedly login before usage (usability)Based on open standards

OAuth 2.0Provides authorization for Web services and mobile devicesRFC 6749, 6750, 6819Heavy standard, some say “over-engineered”




Smartphone-to-Cloud: Authentication/Authorization

RequirementsDon’t store account passwords on device (protection against theft)Easy revocation of devices (recovery after theft)Don’t force users to repeatedly login before usage (usability)Based on open standards

OAuth 2.0Provides authorization for Web services and mobile devicesRFC 6749, 6750, 6819Heavy standard, some say “over-engineered”

4. November 2013 Julian Timpner, Dominik Schürmann, Lars Wolf Page 6Secure Smartphone-based Registration and Key Deployment for Vehicle-to-Cloud Communications Institute of Operating Systems



OAuth 2.0 Subset

Authentication/AuthorizationNo third-party applications planned for V-ChargeNo redirection flow based on grant_type “authorization_code”Reducing protocol complexityRESTful JSON interface, OAuth based on Apache Oltu

Concept Description

Token Endpoint HTTP service to request tokensgrant_type our subset implements “password” and “refresh_token”refresh_token long living authorization tokenaccess_token limited access token




OAuth 2.0 Subset



requestToken(refresh_token)

access_token

Verification usingOAuthResourceFilterFactory

request(access_token)

JSON encoded response

c:Customer endpoint:OAuthTokenEndpoint api:RESTful API

[refresh_token]

alt[password]

Switch based ongrant_typeSwitch based ongrant_type




Device Revocation








validity status



〈certv, certca〉




secure DTN





Vehicle Registration

RegistrationEasy registration process executable by customersVehicle Identification Number (VIN)Registration of vehicles without the need of in-vehicle display andin-vehicle Internet connection

Key generationNobody but the owner possesses the private keyGeneration on mobile device, protected by OS securityEnough entropy compared to embedded hardware




Vehicle Registration








validity status



〈certv, certca〉




secure DTN





Key Deployment

RequirementsIn-vehicle Hardware Security Module (HSM)NFC-enabled mobile device

Deployment process (only conceptual)Transmission of 〈skv, certv, certca〉 over NFC-SEC to HSMDelete 〈skv, certv, certca〉 from device




Hardware Security Modules

Hardware implementation details are beyond the scope of our paperAPI: Mode to reset its memory and a deployment mode to store new〈skv, certv〉-pairsVehicles are equipped with HSM by service stations or carmanufacturersRequire PIN to access the APINFC with security layer or NFC-SEC




DTN Security

ImplementationIBR-DTN daemonCloud-to-Vehicle security based on RFC 6257TLS on TCP convergence layer

V-Charge key management designPKI with certificatesRevocation by “floating” CRLs

generate 〈pkp, skp〉,CSRp

requestCertificate(CSRp)

deploy(certp, certca)

p:ParkingManager ca:DTN CA




Remote Attacks

Intercept access_tokenAttack on TLS with pinned certificate

Eavesdropping/replay attacks on NFCNFC-SEC standardTransmission only happens once, as opposed to vehicular accesscontrol systems




Attacking the Application

Extract refresh_tokenMalicious application attacking Android’sAccountManager (root exploit needed)Revocation on device theft

Steal skv before deploymentPrivilege escalation to gain access to Unix user of V-Charge appskv is stored only for a short duration on smartphone




Attacks Involving the Vehicle

Deploy attacker’s 〈skt, certt〉 to a victim’s vehicleHSM should only accept certt if it is issued for the corresponding VINvof the vehicle

Extract 〈skv, certv〉 from a victim’s vehicleRequires hacking the HSMRevocation of certv, re-generate skv, request a new certv




Conclusion

Novel approach for securely deploying cryptographic keys to vehiclesSupporting multiple services without trusting central authoritiesPrivate key never leaves vehicle ownerAuthentication/Authorization based on standardsOvercoming OAuth design problems: keeping it simpleUsable securityNo vehicular Internet access required

Questions?email: [email protected]



[email protected]


Vehicle Pre-Registration




Public Key Pinning

Introducing certificate/public key pinningInclude V-Charge’s SSL CA certificate in-appTrust by application updatesNo reliance on CAs




V-Charge Project

GoalsA system combining autonomous valet parking with e-mobilityIncreasing customer acceptance of electric vehiclesBy compensating for longer charging cycles

ChallengesEfficiently using scarce charging resourcesMultiple communication channels (V2I, Web, mobile)Autonomous driving and parking (not in this talk)



V-Charge Partners


Motivation

Scenario: EV driver at airportRoam for a free spotUse shuttle servicesTransport luggageWhat about charging?

DisadvantagesCumbersomeOnly few charging stationsMakes it even harder to find parking




V-Charge: Autonomous Parking and Charging

Drop-o�

Zone

Charging Station

Drop-off

Drop-o� andPick-up Zone

Charging Station

Reparking




V-Charge: Advanced Scenarios

Drop-o�

Charging Station

No CS available

Drop-o�

Charging Station

Alternative path

Blocked path




TU Contributions

V2X communicationsServer infrastructureCustomer interactionSystem securityParking resource management



secure smartphone-based registration and key · pdf filemultiple communication channels (v2c,...

Documents