V1.00 | 2015-05-27
Current Status
AUTOSAR Security Modules
1. AUTOSAR
2. CAL & CSM
3. SecOC
Agenda
2/40
Automotive Open System Architecture Software for electronic control units (ECU)
Software architecture
IntroductionAUTOSAR
LIB
RTE
Microcontroller
SYS
COM
CDDMCAL
SWC/Application
3/40
Software component (SWC) / Application Implementation of functionality of ECU Runs on microcontroller Sends & receives data to and from other ECUs (in network)
IntroductionAUTOSAR
Microcontroller
SWC/Application
4/40
Run time environment (RTE) Provides interface to basic software (BSW)
IntroductionAUTOSAR
RTE
Microcontroller
SWC/Application
5/40
System services (SYS) and libraries (LIB) Cryptographic modules
Operating system (OS)
Complex device drivers (CDD)
IntroductionAUTOSAR
LIB
RTE
Microcontroller
SYS
CDD
SWC/Application
6/40
Communication modules (COM) send & receive data on automotive bus systems
> Controller Area Network (CAN)> Local Interconnect Network (LIN)> FlexRay> Ethernet> ...
IntroductionAUTOSAR
LIB
RTE
Microcontroller
SYS
COM
CDD
SWC/Application
7/40
Microcontroller abstraction layer (MCAL) BSW & SWC independent of microcontroller
IntroductionAUTOSAR
LIB
RTE
Microcontroller
SYS
COM
CDDMCAL
SWC/Application
8/40
New security challenges Automotive software plays central role in car innovations Car connectivity will provide an essential part for value-added features
Car security – strict and secure access control to… … the car and its parts (ECU) … sensitive car data (odometer, motor characteristic) … passenger’s data (GPS) … intellectual property of the OEM
Motivation for security modules in AUTOSARAUTOSAR
9/40
CAL & CSM Basic cryptographic primitives for BSW and application
SecOC Authenticated communication seamlessly integrated into the AUTOSAR
communication stack
AUTOSAR security modulesAUTOSAR
10/40
1. AUTOSAR
2. CAL & CSM
3. SecOC
Agenda
11/40
IntroductionCAL & CSM
LIB
RTE
Microcontroller
SYS
COM
CDDMCAL
SWC/Application
Crypto Abstraction Library – CAL BSW, CDD or SWC use CAL by
inclusion
Memory allocated by caller Enables re-entrance
CALCrypto Primitive Library – CPL SW implementation of
cryptographic primitivesCPL
Crypto Service Manager – CSM SWC use CSM through RTE
BSW/CDD use CSM by inclusion
Asynchronous operation possible Callback indicates application
CSM
Crypto library module – CRY Implementation of cryptographic
primitives
CRY CRY
SHEDRV
SHE
Usage of SW or crypto HW possible
12/40
Abstract definition of cryptographic services
No definition for a concrete cryptographic algorithm
Supported Cryptographic ServicesCAL & CSM
Key derivation function (KDF)
Key generation, update*, export, import
Key exchange protocols
Key Management
*Csm only
Miscellaneous
Compression/ Decompression
Checksum
Basic Cryptography
Hash
Message authentication code (MAC) Generation Verification
Random number generation
Encryption/ Decryption Symmetric Asymmetric
Signatures
13/40
Individual configuration of each required service
Set of distinct configurations
Specific implementation for each service configuration
Cryptographic Service ConfigurationCAL & CSM
AsymEncryptService HashServiceSymEncryptService
AsymEncrypt_1
AsymEncrypt_2
SymEncrypt_1
SymEncrypt_2
RSA2048
RSA4096
AES
TwoFish
14/40
Cryptographic Service ConfigurationCAL & CSM
AsymEncryptService HashServiceSymEncryptService
AsymEncrypt_1
AsymEncrypt_2
SymEncrypt_1
SymEncrypt_2
RSA2048
RSA4096
AES
Serpent
Individual configuration of each required service
Set of distinct configurations
Specific implementation for each service configuration
Implementations may change in future
15/40
Cryptographic Service ConfigurationCAL & CSM
AsymEncryptService HashServiceSymEncryptService
AsymEncrypt_1
AsymEncrypt_2
SymEncrypt_1
SymEncrypt_2
RSA2048
RSA4096
AES
Serpent
ECC256
ECC512
Individual configuration of each required service
Set of distinct configurations
Specific implementation for each service configuration
Implementations may change in future
API compatibility not ensured
16/40
Streaming services
General UsageCAL & CSM
Indefinite long data stream
...Start
Initialization with Start function (e.g. Csm_SymEncryptStart)
Update
Update function (e.g. Csm_SymEncryptUpdate)
Update Update Update...
Finish function (e.g. Csm_SymEncryptFinish)
Finish
Result
Non-streaming services Example: Csm_GenerateRandom
17/40
Hardware-based SecurityCAL & CSM
LIB
RTE
Microcontroller
SYSCSM
CRY
CDDMCAL SHEDRV
SHE
SWC/Application
CSM services use cryptographic hardware or software implementation
CRY
18/40
Secure Hardware Extension (SHE) On-chip extension to microcontroller Memory for secure storage of (cryptographic) data Hardware extension for cryptographic primitives Specified by Hersteller Initiative Software (HIS)
Hardware-based SecurityCAL & CSM
Controller
CPU
Peripherals (CAN, UART, ...)
SHE – Secure Hardware Extension
Control Logic
AES
RAM + Flash + ROM
Secure Zone
19/40
SHE - PerformanceCAL & CSM
AES ECB Encryption: SHE vs. Software library
0
200
400
600
800
1000
1200
1400
1600
1800
2000
SHE 64 Mhz SW 64 Mhz SHE 120 Mhz SW 120 Mhz
µs
1 Block
3 Blocks
6 Blocks
24.94
2002.5
1111.6
13.5
Measured on a Freescale MPC5646C (w/ CSE), MICROSAR Stack with CSM and SHE driver with the Vector ‘AUTOSAR Measurement and Debugging (AMD) Runtime Measurement (Rtm)‘ Tool.
1 Block = 16 bytes
20/40
1. AUTOSAR
2. CAL & CSM
3. SecOC
Agenda
21/40
IntroductionSecOC
LIB
RTE
Microcontroller
SYS COM
CDDMCAL
SWC/Application
SecOC is parallel to PDUR PDUR routes PDUs PDU is a message on a bus
PDURSecOC
22/40
SecOC is parallel to PDUR
PDUs are routed through SecOC
PDU & authentication sent & received through IF or TP modules COM module combines data into
PDUs IF modules send & receive
atomic messages TP modules manage messages
longer than atomic messages
IntroductionSecOC
LIB
RTE
Microcontroller
SYS COM
CDDMCAL
SWC/Application
COM
PDUR
IF/TP
SecOC
23/40
IntroductionSecOC
LIB
RTE
CAL
Microcontroller
SYS
CSM
COM
CDDMCAL
SWC/Application
COM
PDUR
IF/TP
SecOC
SecOC is parallel to PDUR
PDUs are routed through SecOC
PDU & authentication sent & received through IF or TP modules
SecOC uses Cal or Csm
RTE-interface
Authentication: MAC or signature
24/40
SecOC sends & receives secured PDUs
Secured PDUs are protected against Manipulation Random errors Replays
FunctionalitySecOC
Secured PDU
ECU 1 ECU 3
BUS
25/40
Sending a secured PDUSecOC
Secured PDU
ECU 1
PDU 1DataID 1
DataID assigned to secured PDU
Authentic PDU
26/40
Sending a secured PDUSecOC
Secured PDU
ECU 1
PDU 1DataID 1
Fresh. Value
Freshness value Monotonic counter to prevent replay attacks
Implementation Timestamp Counter
27/40
Sending a secured PDUSecOC
Secured PDU
ECU 1
PDU 1DataID 1
MAC Generator
MAC
DataID, PDU, freshness value form input to MAC generator
Symmetric key required for MAC generation
SecOC may use CMAC to benefit from SHE
Fresh. Value
28/40
Sending a secured PDUSecOC
Secured PDU
ECU 1
PDU 1DataID 1
PDU 1 MACFresh.ValueFresh. Value
MAC Generator
MACMAC
PDU, truncated freshness value, truncated MAC form secured PDU
LSBs
MSBs
29/40
Sending a secured PDUSecOC
Secured PDU
ECU 1
PDU 1DataID 1
PDU 1 MACFresh.ValueFresh. Value
MAC Generator
MACMAC
NIST Special Publication 800-38B (CMAC) Truncated MAC length 64 bits
Truncated MAC length must be thoroughly chosen dependent on network attributes and security requirements
MSBs
30/40
ECU 1
Fresh. Value
Reception of a secured PDUSecOC
Secured PDU
DataID 1
PDU 1 MACFresh.Value
ECU 3
PDU 1DataID 1
Ver. Fresh.
Authentic PDU is parsed
DataID must be identical for sender and receiver
Truncated freshness value is synchronized to form verification freshness value
replace LSBsPDU 1
MAC Generator
MACMAC
31/40
Reception of a secured PDUSecOC
Secured PDUPDU 1 MACFresh.
Value
ECU 3
PDU 1DataID 1
Ver. Fresh.
Verification freshness value stored freshness value (replay attacks) If not: Increment MSBs of verification freshness value
Synchronization between sender and receiver
Ver. Fresh.
0..00..01+
=Ver. Fresh.
32/40
Reception of a secured PDUSecOC
Secured PDU
ECU 1
PDU 1 MACFresh.Value
ECU 3
PDU 1DataID 1
MAC Generator
Fresh. Value
MACMAC
DataID, PDU, verification freshness form input to MAC generator
Symmetric key must be identical for sender and receiver
MSBs of calculated MAC are compared to truncated MAC If successful, PDU is forwarded If not, PDU is dropped
compare
Fresh. Value
DataID 1PDU 1
MAC Generator
MACMAC
33/40
System ConfigurationSecOC
ECU 1 ECU 2 ECU 3
BUS
PDU 2
PDU 1
PDU 2
PDU 1PDU 1
PDU 3 PDU 3
34/40
System ConfigurationSecOC
ECU 1
PDU 2
PDU 1
PDU 3
ECU 2
PDU 2
ECU 3
PDU 1
PDU 3
BUS
PDU 1
35/40
System ConfigurationSecOC
ECU 1
PDU 2
PDU 1
PDU 3
ECU 2
PDU 2
ECU 3
PDU 1
PDU 3
BUS
PDU 1DataID 1 DataID 1 DataID 1
DataID 2 DataID 2
Assignment of DataIDs to the to-be-secured PDUs
36/40
System ConfigurationSecOC
ECU 1
PDU 2
PDU 1
PDU 3
ECU 2
PDU 2
ECU 3
PDU 1
PDU 3
Specification of the layout of the secured PDU
BUS
PDU 1DataID 1 DataID 1 DataID 1
DataID 2 DataID 2
MACFresh.Value MACFresh.
Value MACFresh.Value
MACFresh.Value MACFresh.
Value
37/40
System configurationSecOC
ECU 1
PDU 2
PDU 1
PDU 3
ECU 2
PDU 2
ECU 3
PDU 1
PDU 3
Assignment of keys to the secured PDUs
Initial keying
Re-keying
BUS
PDU 1DataID 1 DataID 1 DataID 1
DataID 2 DataID 2
MACFresh.Value MACFresh.
Value MACFresh.Value
MACFresh.Value MACFresh.
Value
38/40
System configurationSecOC
ECU 1
PDU 2
PDU 1
PDU 3
ECU 2
PDU 2
ECU 3
PDU 1
PDU 3
PDU 1DataID 1 DataID 1 DataID 1
DataID 2 DataID 2
MACFresh.Value MACFresh.
Value MACFresh.Value
MACFresh.Value MACFresh.
Value
ECU1_Extract ECU2_Extract ECU3_Extract
39/40
© 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.00 | 2015-05-27
For more information about Vectorand our products please visit
www.vector.com
Author:Philipp Werner, Armin Happel, Ralf Fritz, Steffen KeulVector Informatik GmbH
Top Related