Securing vehicle central...
-
Upload
nguyenphuc -
Category
Documents
-
view
216 -
download
0
Transcript of Securing vehicle central...
Securing vehicle central gateways
G. Stansfield, C. Shire Infineon Technologies
Conference Oct 2017, Coventry, UK
Infineon enables connected & safe mobility
Applications
Efficient powertrain for combustion, electric and hybrid vehicles, charging station for electric vehicles, car safety, assistance systems and safety systems, comfort electronics, authentication, mobile security, traction
Courtesy: AUDI
2 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Infineon at a glance
Financials Market Position
Business Segments Employees
377 620 897 982
FY 13 FY 14 FY 15 FY 16
[EUR m]
Europe
15,176 employees
More than 36,000 employees worldwide (as of Sep. 2016)
Americas
3,691 employees Asia/Pacific
17,432 employees
34 R&D locations 19 manufacturing locations
Revenue Segment Result Margin
15.2% 15.5% 14.4% 9.8%
3,843 4,320
5,795 6,473
41%
11%
17%
31%
Automotive
(ATV)
Industrial Power
Control (IPC)
Chip Card &
Security (CCS)
Power Management & Multimarket (PMM)
Revenue FY 2016
# 2 # 1
Automotive Power Smart card ICs
# 1 Strategy Analytics,
April 2017 IHS Markit,
October 2016 IHS Markit, July 2017
3 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Agenda
Trust Anchors and Automotive Systems
Use Case – Advanced Central Gateway
Trust Anchors Comparison
1
3
2
4 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Integrity Accuracy & authenticity
of data
Confidentiality Protection of transferred
data
Availability Reliable access to
communication channels
IT security is built on three cornerstones
5 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Overall automotive security goals – Enable functional safety
– Protect business & IP
– Meet customers quality
expectation
– Fulfill privacy & regulation requirements
Secret keys are the basic prerequisite
of any secured vehicle operation
Automotive Security needs more…
6 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
› Compromised keys = no security
› Revocation of keys is expensive and takes time
› Key handling must be secured throughout the whole lifecycle
Key integrity & confidentiality are essential for system security
Trust Anchors
Provide protected execution environments & tamper resistance for higher-security demands
› Key storage & related crypto operation
› Key management and deployment in insecure environment
Secret keys must be protected
7 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Observational Attack
e.g. power analysis
Manipulative Attack
e.g. probing
Logical Attack
e.g. protocol fuzzing
Semi-invasive Attack
e.g. laser fault injection
Standard ICs can be attacked in various ways
8 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Logical Attacks can be mitigated by software consistency checks.. Hardware features may support these countermeasures.
Observational Attacks can be mitigated by using randomization in software, combined with hardware features
Semi-invasive Attacks can be mitigated by redundant soft- and hardware, building an effective barrier. Hardware features are needed as an efficient foundation.
Manipulative Attacks can be mitigated by using software and hardware cryptography,
Hardware features is absolutely essential.
Soft
wa
re
Hard
ware
Soft
ware
Hard
ware
Countermeasures overview Opportunities and Limits
9 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Features of Trust Anchors for Automotive Security
CAR2CAR CAR2CLOUD
CAR2INFRASTRUCTURE
Discrete Security Controller
› Protected external communication
› Certified hardware security › Protecting critical keys &
certificates
Integrated on MCU (HSM)
› Onboard security › Protected com. & debug
interfaces › High-speed / real-time critical
tasks
10 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Agenda
Trust Anchors and Automotive Systems
Use Case – Advanced Central Gateway
Trust Anchors Comparison
1
3
2
11 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Transmission
Battery management
Engine control
…
Powertrain
ABS/ESP
ACC
Steering
…
Door module
Air condition
Body control module
…
Chassis domain Body
Telematics ECU
Car2Car com
Head Unit
Connectivity ECU
Infotainment
Discrete Hardware Security Integrated
Infineon’s trust anchors for automotive domains
On Board Security Across all domains
AURIX™ 1st & 2nd Gen
SLI 76 SLI 97
Cellular Connectivity Enabling & securing
external communication
SOTA, authentication, central security hub,
on-chip key generation & management
OPTIGA™ TPM
Car2Car
Securing external communication
SLI 97 V2V
Central gateway (Firewall/ Intrusion detection prevention)
12 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Auto Security Trust Anchor Use Cases
Remark:
Some use cases can be implemented with both AURIX or TPM.
The security architecture requirements of the OEM are decisive.
There is a need to maximize security level and minimize overall cost
OPTIGATM TPM (only) • Central storage and processing
of long-term keys and certificates.
• Digital access right supervision (privacy protection, diagnostics access, data recorder, functional upgrades/ releases)
• Measured Boot
• …
COMBINED
• On board key generation & management
• SOTA
• Feature activation
• IDPS
• Data logging
• …
AURIX™ HSM (only)
• Real time bulk encryption/decryption (secure boot, firewall, secure onboard communication, on-the-fly integrity verification…)
• Symmetric key and password generation
• …
We propose three use case classes (AURIX & TPM):
13 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
HSM and TPM Overview
HSM - Integrated on MCU
AURIXTM
e.g. TC23x
HSM
Flash Flash
Integrated security hardware incl.
Protected key & program storage, internal firewall, debug protection, crypto accelerators (AES-128/ECC256/SHA-2), AIS31 compliant True Random Number Generator (TRNG) for key generation, …
Separated execution environment (incl. 32bit CPU) for sensitive code and data
High performance, Real-time capable
Full Automotive temperature range and quality (AEC Q-100 Grade 0+, DFR)
AUTOSAR compliant
CAN Eth
TPM – Discrete Chip Host Processor
e.g. Linux-Based
MPU or
AURIXTM MCU
TPM
Flash
Firmware
Basic SW
Flash
Discrete security hardware (based on proven smartcard technology )
Highly protected long-term key storage
AEC-Q100 Grade 2 compatible, burn-in and extended process control
Standardized (~ 100 functions, Inter-ECU interoperability)
Supports multiple crypto schemes incl. AES-256/ECC512/RSA2028
AIS31 compliant True Random Number Generator (TRNG) for key generation
EAL 4+ high security certified hardware & software (high tamper resistance)
SPI
14 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Software / Functionality
Implemented Software
Functionality
User programmable Standardized
HSM and TPM Comparison-1 : Security Software
TPM – Discrete Chip HSM - Integrated on MCU
crytp.-library
Basic SW
Firmware 100
function
Host SW (stack)
Eco-system
crytp.library, SHE+
crytp.-operation
Key Mgmt.
Author- ization
Secure Time
FW-
Update crytp.-
operations, SHE+
AURIX™ e.g. TC23x
HSM
Flash Flash
CAN
Eth
Host Processor e.g. Linux-Based MPU or AURIXTM MCU
TPM
Flash
Firmware
Basic SW
Flash
TCG Software
Stack (TSS)
SPI
15 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
HSM and TPM Comparison -2 : Security Protection
TPM – Discrete Chip HSM - Integrated on MCU
Features
Secret code & data storage
Protection against read-out Encrypted memory, encrypted data bus
Code execution Separated & protected execution, internal firewall, debug protection
Encrypted data execution, self checking dual-CPU
Personalization Unique chip identifier Personalized and protected processes (in development, supply and ECU lifecycle)
Massive hardware attack protection
N/A Maximized protection (e.g. shields, sensors etc.)
Security certification
N/A
Common Criteria EAL4+ high certified (HW + SW)
AURIX™ e.g. TC23x
HSM
Flash Flash
CAN
Eth
Host Processor e.g. Linux-Based MPU or AURIXTM MCU
TPM
Flash
Firmware
Basic SW
Flash
TCG Software
Stack (TSS)
SPI
16 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Agenda
Trust Anchors and Automotive Systems
Use Case – Advanced Central Gateway
Trust Anchors Comparison
1
3
2
17 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Advanced Gateway – Feature Activation Use Case – Simplified overview
Application Processor
Gateway ECU
Up to 6 Cores 300MHz
AURIX 2G
Standard Parameter.
OPTIGA™ TPM ~100
functions
Key store
HSM Tricore
Setup of new parameters
› Loading of encrypted Enhanced Parameters
› Update TPM key usage authorization to enable new enhanced parameters
Usage of new parameters
› Request access to key
› Key access is granted
› Enhanced Parameters are decrypted and applied
Access
-control
Enhanced Parameters
Cloud
Telematic Control Unit
18 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Secure and cost efficient key generation & deployment in the OEM factory
Highly availability
Central Gateway
ECU 2 ECU 1 ECU 2
Security Back End
Prerequisites • TPM is personalized
• ECU provided with the OEM CA certificate
On- Board Key Deployment • Cryptographic binding
of ECU to car
• and between ECUs
• centrally secured by TPM
Enable Secure-OnBoard Communication • Generation of symmetric key
based on TPM-keys
• Storage of symmetric keys in the HSM
AURIXTM
e.g. TC3xx
HSM
OPTIGATM TPM
Low availability
OPTIGA™ TPM serving as a trust anchor for OEM Security Back End
saving cost, simplifying security processes and increasing security
Non Secure Environment
1
2
3
K-Storage
19 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Some further use case proposals …you have many more ideas!
“Domain” Central Gateway,
Sensor Fusion, Body
Control Module etc.
“Standard” (EMS, Airbag etc.)
“Connectivity” Head Unit,
Telematics etc.
AURIX™ HSM OPTIGATM TPM COMBINED
• Secure boot • Run time integrity • Secure FLASH Bootloader • Firewall
• Secure Backend Communication
• Encrypted data storage • Lifecycle protection • ECU recovery from threats • Secure Time • Black box logging • Virtualization support
• SOTA
• Secure boot • Run time integrity • Secure FLASH Bootloader • Immobilizer (BCM, CG) • Secure on-board
communication • Firewall • Intrusion detection prevention
• "Fort knox“ - (most critical keys and certificates)
• Secure Backend Communication
• ECU recovery from threats • Lifecycle protection, Crypto-
agile • Secure Time • Privacy protection
• SOTA • On-board key generation
& deployment • Feature activation • Protection of the OBD
interface (diagnostics) • Secure data logging (black
box) • Diagnostics • Component protection
• Secure boot • Run time integrity • Secure FLASH Bootloader • Immobilizer (EMS) • Secure on-board
communication
- • SOTA • On-board key generation
& deployment • Protection of the OBD
interface (diagnostics) • Diagnostics • Component protection
20 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.
Infineon investigates solutions to provide security by a combination of AURIX™ and OPTIGA™ TPM.
Infineon’s scalable portfolio of hardware trust anchors can achieve Digital
Resilience and Survivability in a cost
efficient manner through the supply chain
Connected cars offer cost saving potentials, convenience gains and new business opportunities. Trust anchors are indispensable in the context.
Summary
21 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.