vehicle key management challenges for ... - vector informatik

V2.01.00 | 2016-05-09

Vector Cyber Security Symposium 2017

Vehicle Key Management – Challenges for Standardization

2

u The internet of vulnerable things

Importance of cryptographic material

Vehicle key management != key storage

Challenges for standardization

Status of standardization

Summary

Agenda

3

u Cyber security was a major concern during IOT solution world congress

u Vehicles are a part of the IOT

u The IOT is at least 20 years behind the established software industry in its cyber security awareness (F-Secure)

u Easy access to the IOT

u The search engine shodan allows to search for any device connected to the internet

u Can identify anything from refridgerator to power plant

u Can be used by companies to analyze device usage

u Can be used by attackers to find vulnerable IOT devices

u 2016 a simple search on shodan detected 743 unprotected Telematics Gateway Units (TGUs) of commercial vehicles which were easy to exploit

Impressions from Internet of Things (IOT) Solution World Congress 2017

The internet of vulnerable things

4


u Importance of cryptographic material




Summary

Agenda

5

Cryptographic keys are the foundation for technical security mechanisms


Connectivity Gateway

CU

Instrument

ClusterDSRC

4G LTE

Laptop

Tablet

Smart-phone

Central Gateway

ADAS DC

Smart Charging

Powertrain DC

ChassisDC

BodyDC

Head Unit

Diagnostic Interface

u For security reasons different keys are used for different security related use cases, e.g.

u Secure flashing of ECUs (a.k.a code signing, secure reprogramming)

u Secure boot of ECUs

u Diagnostic access control

u Secured communication between the ECUs of a vehicle (e.g. via SECOC)

u Secure communication from the ECU to external services (e.g. via TLS)

u SW update over the air (SOTA)

u Remote feature activation

u Component theft protection

u Immobilizer

u Mobile online services

u …

u The affected ECUs require a considerable number of cryptographic keys

6



u Vehicle key management != key storage



Summary

Agenda

7

Vehicle key management in a layered security concept


Secure External Communication

Secure Gateways

Secure In-Vehicle Communication

Secure Platform

u Secure communication to services outside the vehicle

u Intrusion detection mechanisms

u Firewalls

u Vehicle Key Management

u Security Audit Log

u Authentic synchronized time

u Authenticity of messages

u Integrity and freshness of messages

u Confidentiality of messages

u Key storage

u Secure boot and secure flash

u Crypto library

u HW trust anchor (HTA)

Security concepts

8

Key storage


u Goal:

u Securely store cryptographic keys

u Basic Functions and Key Aspects:

u Take a cryptograhic key from the application

u Securely store it in NVM or hardware trust anchor of ECU

u Supported by the crypto stack (CSM, CRYIF, CRYPTO)

u Configuration of key structures via key elements

Microcontroller

RTE

CRYPTO

CAN

COM

ETH

MCAL

DIAG

CSM

CRYPTO (HW)

CRYIF

CRYPTO (SW)

ApplicationApp

SYS

Hardware Trust Anchor (HTA )

9

Vehicle key management in the AUTOSAR architecture


u Goal:

u Simplifies typical and common key lifecyclemanagement tasks

u Basic Functions and Key Aspects:

u Receives new cryptographic material (keys, certificates) via diagnostic routines

u Verifies authenticity, integrity and freshness of cryptographic material

u Provides callouts to integrate with business logic for different typical key lifecycle phases (production, initialization, update, repair, replacement)

u Supports on board derivation of new keys

u Supports secure distribution of shared secret keys

u Logs security events to security audit log

Microcontroller

RTE

CRYPTO

CAN

COM

ETH

MCAL

DIAG

CSM

CRYPTO (HW)

CRYIF

CRYPTO (SW)

ApplicationApp

SYS

KEYM

SAL

Hardware Trust Anchor (HTA )

DCM

10




u Challenges for standardization


Summary

Agenda

11

Production of the ECU

u Insertion of initial keys

Key lifecycle phases


Aftersales

u Keys can be replaced if they have become compromised

u Keys can be renewed after a certain time to improve security

u Additional keys can be inserted for new use cases

u Replaced ECUs can get appropriate keys to participate in secure vehicle communication

End of line programming

u Replacement of initial keys by OEM specific master keys

u Insertion of additional keys

u On board derivation of further keys

u Secure distribution of keys in the vehicle network

12

Variation points for technical solution


u Development-, production-, after sales processes @ Tier1 & OEM

u Existing backend key management processes and IT infrastructure (e.g. PKI)

u Security goals (based on assumptions about the security of the development / production / service environment)

u Performance goals (based on end of line programming requirements)

u Vehicle security architecture / vehicle key management paradigm

u Central key security manager: derives / generates and distributes keys

u No central key security manager: Keys are mostly generated in the backend and inserted on the ECUs

Find right level of abstraction

u to provide added value compared to proprietary solutions

u Support known OEM specifics

13





u Status of standardization

Summary

Agenda

14

Vehicle key management in a layered security concept


Secure External Communication

Secure Gateways

Secure In-Vehicle

Communication

Secure Platform

u Secure communication to services outside the vehicle

u Intrusion detection mechanisms

u Firewalls

u Vehicle Key Management

u Security Audit Log

u Authentic synchronized time

u Authenticity of messages

u Integrity and freshness of messages

u Confidentiality of messages

u Key storage

u Secure boot and secure flash

u Crypto library

u HW trust anchor (HTA)

Security Concepts

CCSecurityCCExtensionsCCAUTOSAR4.4

CCTLS 1.2

CCSECOC

CCSHE, HSM, CCTPM, TEE,…

CCCSM / CCCRYIF / CCCRYPTO

Standard

15

With AUTOSAR 4.3 major improvements in the AUTOSAR security stack have been specified. Furthermore the SECOC module was improved for more flexible handling of the freshness value. However experience from projects shows that the following extensions to the current security modules are required.

u C1: Security Audit Log

u C2: Key Management / Key Distribution

u C3: Secure Boot Status

u C4: Authentic Synchronized Time

u C5: Dynamic Rights Management for Diagnostic Access

u C6: Improved Certificate Handling

u C7: Abstract pre-definition of Crypto Items in System Template

Expectations:

u The extensions are essential building blocks for security controls.

u The extensions are not considered as competitive areas

u The complexity of integration can be reduced by standardization.

Goals of AUTOSAR 4.4 Security Extensions


16






u Summary

Agenda

17

u The Vehicle is a part of the Internet of Vulnerable Things

u Vehicle key management != key storage

u Secure management of cryptographic keys in all lifecycle phases adds an important layer of security

u Standardization has a lot of potential for cost saving but is challenging due to OEM specifics

u In a year from know we will see how big a step we were able to do

u Participate in AUTOSAR 4.4 Concept Group 636: Security Extensions !

Key Points

Summary

18 © 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V2.01.00 | 2016-05-09

For more information about Vectorand our products please visit

www.vector.com

Author:

Dr. Eduard Metzker

Vector Informatik GmbH

http://www.vector.com/

vehicle key management challenges for ... - vector informatik

Documents