vehicle key management status of standardization · 2018-11-15 · u vehicle key management != key...

V2.01.00 | 2016-05-09

Webinar

Vehicle Key Management – Status of Standardization

2

u Importance of cryptographic material

Vehicle key management != key storage

Challenges for standardization

Example: Initial keying at OEM for SecOC

Status of standardization

Summary

Agenda

3

Cryptographic keys are the foundation for technical security mechanisms

Importance of cryptographic material

Connectivity Gateway

CU

Instrument

ClusterDSRC

4G LTE

Laptop

Tablet

Smart-phone

Central Gateway

ADAS DC

Smart Charging

Powertrain DC

ChassisDC

BodyDC

Head Unit

Diagnostic Interface

u For security reasons different keys are used for different security related use cases, e.g.

u Secure flashing of ECUs (a.k.a code signing, secure reprogramming)

u Secure boot of ECUs

u Diagnostic access control

u Secured communication between the ECUs of a vehicle (e.g. via SECOC)

u Secure communication from the ECU to external services (e.g. via TLS)

u SW update over the air (SOTA)

u Remote feature activation

u Component theft protection

u Immobilizer

u Mobile online services

u …

u The affected ECUs require a considerable number of cryptographic keys

4


u Vehicle key management != key storage




Summary

Agenda

5

Vehicle key management in a layered security concept


Secure External Communication

Secure Gateways

Secure In-Vehicle Communication

Secure Platform

u Secure communication to services outside the vehicle

u Intrusion detection mechanisms

u Diagnostic policy manager

u Vehicle key management

u Security event memory

u Authentic synchronized time

u Authenticity of messages

u Integrity and freshness of messages

u Confidentiality of messages

u Key storage

u Secure boot and secure flash

u Crypto library

u HW trust anchor (HTA)

Security concepts

6

Key storage


u Goal:

u Securely store cryptographic keys

u Basic functions and key aspects:

u Take a cryptograhic key from the application

u Securely store it in NVM or hardware trust anchor of ECU

u Supported by the crypto stack (CSM, CRYIF, CRYPTO)

u Configuration of key structures via key elements

Microcontroller

RTE

CRYPTO

CAN

COM

ETH

MCAL

DIAG

CSM

CRYPTO (HW)

CRYIF

CRYPTO (SW)

ApplicationApp

SYS

HSM

7

Vehicle key management in the AUTOSAR architecture


u Goal:

u Simplifies typical and common key lifecyclemanagement tasks

u Basic functions:

u Receives new cryptographic material (keys, certificates) via diagnostic routines

u Verifies authenticity, integrity and freshness of cryptographic material

u Provides callouts to integrate with business logic for different typical key lifecycle phases (production, initialization, update, repair, replacement)

u Supports on board derivation of new keys

u Supports secure distribution of shared secret keys

u Logs security events to security event memory (SEM)

Microcontroller

RTE

CRYPTO

CAN

COM

ETH

MCAL

DIAG

CSM

CRYPTO (HW)

CRYIF

CRYPTO (SW)

ApplicationApp

SYS

KEYM

SEM

HSM

DCM

8



u Challenges for standardization



Summary

Agenda

9

Production of the ECU

u Insertion of initial keys

Key lifecycle phases


Aftersales

u Keys can be replaced if they have become compromised

u Keys can be renewed after a certain time to improve security

u Additional keys can be inserted for new use cases

u Replaced ECUs can get appropriate keys to participate in secure vehicle communication

End of line programming

u Replacement of initial keys by OEM specific master keys

u Insertion of additional keys

u On board derivation of further keys

u Secure distribution of keys in the vehicle network

10

Variation points for technical solution


u Development-, production-, after sales processes @ Tier1 & OEM

u Existing backend key management processes and IT infrastructure (e.g. PKI)

u Security goals (based on assumptions about the security of the development / production / service environment)

u Performance goals (based on end of line programming requirements)

u Vehicle security architecture / vehicle key management paradigm (centralized / decentralized)

u Current situation: Vector provides proprietary vehicle key management solutions to support a large number of different OEMs

u Goal for standardization: find right level of abstraction

u to provide added value compared to proprietary solutions

u Support known OEM specifics via configuration and extension interfaces

11




u Example: Initial keying at OEM for SecOC


Summary

Agenda

12

Scenario 1: Off-board (backend) key generation


Diagnostic Tester KEYM KEYM

u Diagnostic Tester provides backend generated keys toeach node

u Key managers are limited to validatingbackend generated SECOC keys via

u SHE1.1 key update protocol or

u OEM specific key update containers

13

Scenario 2: On-board key derivation with coordinator


Diagnostic Tester KEYM (Server) KEYM (Clients)

u DiagnosticTester triggersSecOC keying

u On-board KEYM servercreates and storesvehicle specific secret

u On-board KEYM servercoordinates securedistribution of secret toclients (e.g. via Diffie-Hellman)

u KEYM clients use secret and key derivation function tosecurely derive SecOC keys

14

Scenario 3: On-board key generation without coordinator


Diagnostic Tester KEYM KEYM

u Diagnostic Tester triggers SecOCkeying

u No dedicated KEYM server whichcoordinates key negotiation (completlydecentralized)

u Group of ECUs participates in negotiation of shared secret (e.g. via Burmester-Desmedt )

u Participating nodes derive SecOC keysfrom shared secret

15





u Status of standardization

Summary

Agenda

16

Vehicle key management in a layered security concept


Secure External Communication

Secure Gateways

Secure In-Vehicle

Communication

Secure Platform

u Secure communication to services outside the vehicle (TLS)

u Intrusion detection mechanisms

u Diagnostic policy manager

u Vehicle key management

u Security event memory

u Authentic synchronized time

u Authenticity of messages

u Integrity and freshness of messages

u Confidentiality of messages

u Key storage

u Secure boot and secure flash

u Crypto library

u HW trust anchor (HTA)

Security Concepts

AU CCAUTOSAR4.4

CCSecOC

CCSHE, HSM, CCTPM, TEE,…

CCCSM / CCCRYIF / CCCRYPTO

Standard

CCSecurityCCExtensionsCCAUTOSAR4.4

17

u C1: Security Event Memory

u C2: Vehicle Key Management / Key Distribution

u C3: Secure Boot Status (dropped)

u C4: Authentic Synchronized Time

u C5: Dynamic Rights Management for Diagnostic Access

u C6: Improved Certificate Handling (integrated in C2)

u C7: Abstract pre-definition of Crypto Items in System Template (improves AUTOSAR tooling support for security)

AUTOSAR 4.4 Security Extensions


18

Timeline 2018


19






u Summary

Agenda

20

u Vehicle key management != key storage

u Secure management of cryptographic keys in all lifecycle phases adds an important layer of security

u Standardization has a lot of potential for cost saving but is challenging due to OEM specifics

u Vector provides OEM specific key management implementations for a number of OEMs

u AUTOSAR 4.4 Security Extensions provide KEYM module as a framework for vehicle key management

Outlook:

u Security Extensions will be continued in AUTOSAR 4.5

Important points

Summary

21 © 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V2.01.00 | 2016-05-09

For more information about Vectorand our products please visit

www.vector.com

Author:

Dr. Eduard Metzker

Vector Informatik GmbH

http://www.vector.com/

vehicle key management status of standardization · 2018-11-15 · u vehicle key management != key...

Documents