Securing vehicle central...

Securing vehicle central gateways

G. Stansfield, C. Shire Infineon Technologies

Conference Oct 2017, Coventry, UK

Infineon enables connected & safe mobility

Applications

Efficient powertrain for combustion, electric and hybrid vehicles, charging station for electric vehicles, car safety, assistance systems and safety systems, comfort electronics, authentication, mobile security, traction

Courtesy: AUDI

2 2017-10-03 Copyright © Infineon Technologies AG 2017. All rights reserved.

Infineon at a glance

Financials Market Position

Business Segments Employees

377 620 897 982

FY 13 FY 14 FY 15 FY 16

[EUR m]

Europe

15,176 employees

More than 36,000 employees worldwide (as of Sep. 2016)

Americas

3,691 employees Asia/Pacific

17,432 employees

34 R&D locations 19 manufacturing locations

Revenue Segment Result Margin

15.2% 15.5% 14.4% 9.8%

3,843 4,320

5,795 6,473

41%

11%

17%

31%

Automotive

(ATV)

Industrial Power

Control (IPC)

Chip Card &

Security (CCS)

Power Management & Multimarket (PMM)

Revenue FY 2016

# 2 # 1

Automotive Power Smart card ICs

# 1 Strategy Analytics,

April 2017 IHS Markit,

October 2016 IHS Markit, July 2017


Agenda

Trust Anchors and Automotive Systems

Use Case – Advanced Central Gateway

Trust Anchors Comparison

1

3

2


Integrity Accuracy & authenticity

of data

Confidentiality Protection of transferred

data

Availability Reliable access to

communication channels

IT security is built on three cornerstones


Overall automotive security goals – Enable functional safety

– Protect business & IP

– Meet customers quality

expectation

– Fulfill privacy & regulation requirements

Secret keys are the basic prerequisite

of any secured vehicle operation

Automotive Security needs more…


› Compromised keys = no security

› Revocation of keys is expensive and takes time

› Key handling must be secured throughout the whole lifecycle

Key integrity & confidentiality are essential for system security

Trust Anchors

Provide protected execution environments & tamper resistance for higher-security demands

› Key storage & related crypto operation

› Key management and deployment in insecure environment

Secret keys must be protected


Observational Attack

e.g. power analysis

Manipulative Attack

e.g. probing

Logical Attack

e.g. protocol fuzzing

Semi-invasive Attack

e.g. laser fault injection

Standard ICs can be attacked in various ways


Logical Attacks can be mitigated by software consistency checks.. Hardware features may support these countermeasures.

Observational Attacks can be mitigated by using randomization in software, combined with hardware features

Semi-invasive Attacks can be mitigated by redundant soft- and hardware, building an effective barrier. Hardware features are needed as an efficient foundation.

Manipulative Attacks can be mitigated by using software and hardware cryptography,

Hardware features is absolutely essential.

Soft

wa

re

Hard

ware

Soft

ware

Hard

ware

Countermeasures overview Opportunities and Limits


Features of Trust Anchors for Automotive Security

CAR2CAR CAR2CLOUD

CAR2INFRASTRUCTURE

Discrete Security Controller

› Protected external communication

› Certified hardware security › Protecting critical keys &

certificates

Integrated on MCU (HSM)

› Onboard security › Protected com. & debug

interfaces › High-speed / real-time critical

tasks


Agenda




1

3

2


Transmission

Battery management

Engine control

…

Powertrain

ABS/ESP

ACC

Steering

…

Door module

Air condition

Body control module

…

Chassis domain Body

Telematics ECU

Car2Car com

Head Unit

Connectivity ECU

Infotainment

Discrete Hardware Security Integrated

Infineon’s trust anchors for automotive domains

On Board Security Across all domains

AURIX™ 1st & 2nd Gen

SLI 76 SLI 97

Cellular Connectivity Enabling & securing

external communication

SOTA, authentication, central security hub,

on-chip key generation & management

OPTIGA™ TPM

Car2Car

Securing external communication

SLI 97 V2V

Central gateway (Firewall/ Intrusion detection prevention)


Auto Security Trust Anchor Use Cases

Remark:

Some use cases can be implemented with both AURIX or TPM.

The security architecture requirements of the OEM are decisive.

There is a need to maximize security level and minimize overall cost

OPTIGATM TPM (only) • Central storage and processing

of long-term keys and certificates.

• Digital access right supervision (privacy protection, diagnostics access, data recorder, functional upgrades/ releases)

• Measured Boot

• …

COMBINED

• On board key generation & management

• SOTA

• Feature activation

• IDPS

• Data logging

• …

AURIX™ HSM (only)

• Real time bulk encryption/decryption (secure boot, firewall, secure onboard communication, on-the-fly integrity verification…)

• Symmetric key and password generation

• …

We propose three use case classes (AURIX & TPM):


HSM and TPM Overview

HSM - Integrated on MCU

AURIXTM

e.g. TC23x

HSM

Flash Flash

Integrated security hardware incl.

Protected key & program storage, internal firewall, debug protection, crypto accelerators (AES-128/ECC256/SHA-2), AIS31 compliant True Random Number Generator (TRNG) for key generation, …

Separated execution environment (incl. 32bit CPU) for sensitive code and data

High performance, Real-time capable

Full Automotive temperature range and quality (AEC Q-100 Grade 0+, DFR)

AUTOSAR compliant

CAN Eth

TPM – Discrete Chip Host Processor

e.g. Linux-Based

MPU or

AURIXTM MCU

TPM

Flash

Firmware

Basic SW

Flash

Discrete security hardware (based on proven smartcard technology )

Highly protected long-term key storage

AEC-Q100 Grade 2 compatible, burn-in and extended process control

Standardized (~ 100 functions, Inter-ECU interoperability)

Supports multiple crypto schemes incl. AES-256/ECC512/RSA2028

AIS31 compliant True Random Number Generator (TRNG) for key generation

EAL 4+ high security certified hardware & software (high tamper resistance)

SPI


Software / Functionality

Implemented Software

Functionality

User programmable Standardized

HSM and TPM Comparison-1 : Security Software

TPM – Discrete Chip HSM - Integrated on MCU

crytp.-library

Basic SW

Firmware 100

function

Host SW (stack)

Eco-system

crytp.library, SHE+

crytp.-operation

Key Mgmt.

Author- ization

Secure Time

FW-

Update crytp.-

operations, SHE+

AURIX™ e.g. TC23x

HSM

Flash Flash

CAN

Eth

Host Processor e.g. Linux-Based MPU or AURIXTM MCU

TPM

Flash

Firmware

Basic SW

Flash

TCG Software

Stack (TSS)

SPI


HSM and TPM Comparison -2 : Security Protection

TPM – Discrete Chip HSM - Integrated on MCU

Features

Secret code & data storage

Protection against read-out Encrypted memory, encrypted data bus

Code execution Separated & protected execution, internal firewall, debug protection

Encrypted data execution, self checking dual-CPU

Personalization Unique chip identifier Personalized and protected processes (in development, supply and ECU lifecycle)

Massive hardware attack protection

N/A Maximized protection (e.g. shields, sensors etc.)

Security certification

N/A

Common Criteria EAL4+ high certified (HW + SW)

AURIX™ e.g. TC23x

HSM

Flash Flash

CAN

Eth

Host Processor e.g. Linux-Based MPU or AURIXTM MCU

TPM

Flash

Firmware

Basic SW

Flash

TCG Software

Stack (TSS)

SPI


Agenda




1

3

2


Advanced Gateway – Feature Activation Use Case – Simplified overview

Application Processor

Gateway ECU

Up to 6 Cores 300MHz

AURIX 2G

Standard Parameter.

OPTIGA™ TPM ~100

functions

Key store

HSM Tricore

Setup of new parameters

› Loading of encrypted Enhanced Parameters

› Update TPM key usage authorization to enable new enhanced parameters

Usage of new parameters

› Request access to key

› Key access is granted

› Enhanced Parameters are decrypted and applied

Access

-control

Enhanced Parameters

Cloud

Telematic Control Unit


Secure and cost efficient key generation & deployment in the OEM factory

Highly availability

Central Gateway

ECU 2 ECU 1 ECU 2

Security Back End

Prerequisites • TPM is personalized

• ECU provided with the OEM CA certificate

On- Board Key Deployment • Cryptographic binding

of ECU to car

• and between ECUs

• centrally secured by TPM

Enable Secure-OnBoard Communication • Generation of symmetric key

based on TPM-keys

• Storage of symmetric keys in the HSM

AURIXTM

e.g. TC3xx

HSM

OPTIGATM TPM

Low availability

OPTIGA™ TPM serving as a trust anchor for OEM Security Back End

saving cost, simplifying security processes and increasing security

Non Secure Environment

1

2

3

K-Storage


Some further use case proposals …you have many more ideas!

“Domain” Central Gateway,

Sensor Fusion, Body

Control Module etc.

“Standard” (EMS, Airbag etc.)

“Connectivity” Head Unit,

Telematics etc.

AURIX™ HSM OPTIGATM TPM COMBINED

• Secure boot • Run time integrity • Secure FLASH Bootloader • Firewall

• Secure Backend Communication

• Encrypted data storage • Lifecycle protection • ECU recovery from threats • Secure Time • Black box logging • Virtualization support

• SOTA

• Secure boot • Run time integrity • Secure FLASH Bootloader • Immobilizer (BCM, CG) • Secure on-board

communication • Firewall • Intrusion detection prevention

• "Fort knox“ - (most critical keys and certificates)

• Secure Backend Communication

• ECU recovery from threats • Lifecycle protection, Crypto-

agile • Secure Time • Privacy protection

• SOTA • On-board key generation

& deployment • Feature activation • Protection of the OBD

interface (diagnostics) • Secure data logging (black

box) • Diagnostics • Component protection

• Secure boot • Run time integrity • Secure FLASH Bootloader • Immobilizer (EMS) • Secure on-board

communication

- • SOTA • On-board key generation

& deployment • Protection of the OBD

interface (diagnostics) • Diagnostics • Component protection


Infineon investigates solutions to provide security by a combination of AURIX™ and OPTIGA™ TPM.

Infineon’s scalable portfolio of hardware trust anchors can achieve Digital

Resilience and Survivability in a cost

efficient manner through the supply chain

Connected cars offer cost saving potentials, convenience gains and new business opportunities. Trust anchors are indispensable in the context.

Summary


Date post:	14-Jul-2018
Category:	Documents
Upload:	nguyenphuc
View:	215 times
Download:	0 times

Securing vehicle central...

Documents