escrypt GmbH – Embedded Security Systemhaus für eingebettete Sicherheit
Designing Secure Automotive Hardware for Enhancing Traffic Safety – The EVITA Project
Marko Wolf, escrypt GmbH – Embedded Security CAST Workshop Mobile Security for Intelligent Cars Darmstadt, Germany, August 27th, 2009
escrypt GmbH Lise-Meitner-Allee 4 44801 Bochum
[email protected] phone: +49(0)234 43 870 209 fax: +49(0)234 43 870 211 27.08.2009 Folie 2 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars Motivation The need for The need in - vehicle You already know this… know You already security
[email protected] 27.08.2009 ...... locks, updates) feature activation, software Circumvent Steal Harm Misuse Impersonate Violate industrial espionage) Spy on (e.g., tolldigital tachograph, devices, chip tuning) Manipulate Folie 3 the vehicle ora valuablecomponent passengers, destroy OEM’s reputation (e.g., safety attacks) Strong need for reliable security mechanisms! security for reliable need Strong Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars manufacturer's expertise and and property (e.g., manufacturer's expertiseintellectual counterfeits, external communications (e.g., externalcommunications (e.g., disturb, misuse,harm) privacy(e.g., issues contacts, trips)last The for need in restrictions in hardware or restrictions softwarefunctionality (e.g., speed financially, legally, or warranty relevantvehicular components (e.g., plate) (e.g., electronic license Possible attacks & attack intentions for vehicles - vehicle security vehicle
[email protected] 27.08.2009 . . . . o o o embedded and mobile world embedded Vehicular IT isclient/server, points attack Many different attacking incentives and attackers Many different .. attacks” Beyond “standard Standard(non Physical Physical attacks Offline attacks Insider attacks Folie 4 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars The security of vehicular security mechanisms security The ofvehicular security Why Why just applying standard (non - vehicle) security solutionswon’t work!security vehicle) - vehicle) solutionswon’t work
[email protected] 27.08.2009 . . . . security mechanisms reliable Software security read Hardware security a System security thought Organizational security secure well secure Folie - out,locks,side physical 5 softwaresecuritymechanisms security processes, secure infrastructuressecurityprocesses,secureand organizationalsecurity policies Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars The security of vehicular security mechanisms of vehicular security The security - thought security system design and adequate securitysecurityand adequateprotocols system thoughtdesign against The s against against that protect and enforce securitymechanismsthatenforceof software protectand ecurity ecurity ITpyramid system of adependable against logical logical attacks software attacks hardware hardware attacks - channels etc.) by etc.) channels organization attacksorganization (e.g., secure init, secure RTE) and RTE)and secure secure init,(e.g., (e.g., cryptographic weaknesses weaknesses weak APIs)by or cryptographic(e.g., (e.g., weak OS mechanisms or malware) by or malware) weak OSmechanisms (e.g., (e.g., security artifactssecurityor manipulations(e.g., hardwaretamper (e.g., social engineering) by well (e.g., socialengineering) - protection hardware measures -
[email protected] 27.08.2009 . . . . Prevents Reduces Accelerates Protects Folie circuitry hardware purpose circuitry of general instead Applying Applying Applying security processing secure and storage, secure generation, Secure Providing a trustworthy Applying Applying special highly optimized 6 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars Vehicular Security Hardware software security software security by mechanisms security costs by security on highvolumes hardware tampering attacks attacks tampering hardware by - What security hardware can help hardware What security critical critical from material all pot.shielded malicious SW cryptographic accelerators cryptographic tamper security security mechanisms by - protection security anchor security measures for upper SW layers SW for upper of
[email protected] 27.08.2009 . . o o o o automotive General o o o for example: vehicular environments, Proprietary Folie Are where any s any where Are Mobile Module Trusted Module Trusted Platform Cryptographic smartcards IBM cryptographic coprocessor Toll Collect OBU Digital tachograph Immobilizer 7 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars Vehicular Security Hardware - purpose hardware security for security modules hardware purpose What is the current situation? current What is the and environments , for example: environments single olutions for vehicular security HW? security vehicular olutions for - purpose purpose hardware security security hardware solutions in IBM 4758 cryptographicIBM 4758 coprocessor VDO VDO digital tachograph non -
[email protected] 27.08.2009 . . . . . ECU security architecture ECU architecture security for practicability Implement o o o Design Detect safety applications Prevent tampering and sensitive data are protected against compromise. board networks where security designing, verifying, and an prototyping architecture automotive for on Powerful hardware extension ECU security Folie corresponding corresponding (e ECU components software security ECU extensionhardware security 8 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars E manipulated information from manipulated and - or at least detect safety Vehicle Intrusion Vehiclesafety Project objectives verify , demonstrate - safety) securityprotocols safety) a ECU architectureECU security - malicious malicious malfunction relevant relevant components are protected against and and validate proTected external entitiesexternal that: that: Application (EVITA) , including of in “.. aims at - ” vehicle e vehicle - -
[email protected] 27.08.2009 ...... Further information Total cost Duration MIRA, TRIALOG from Belgium, UKFrance, Sweden, Germany, KULeuven, Institute TELECOM, Infineon, Fujitsu, Fraunhofer, Partners Program e TPM”) architecture security protecting enabling a vehicular for Objective: Folie - safety V2X communications communications safety V2X (e.g., break, emergency 9 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA Project : BMW, Bosch, Continental, escrypt, EURECOM, : BMW, EURECOM, Bosch, escrypt, Continental, : FP7 : 36 (July months 2008 : 6 million Automotive capable Automotive (“automotive security capable hardware Background Background information - ICT - 2007 of the European Community Community the (EC) 2007European of € : www.evita – - project.org June 2011) June eCall )
[email protected] 27.08.2009 . Microcontroller Folie 10 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA General Approach Microcontroller Microcontroller security extension
[email protected] 27.08.2009 Folie 11 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA General Approach Basic Basic software layer including security software and EVITA drivers ECU ECU security architecture E - safetyapplication layer (security protocols) Microcontroller abstraction layer (MCAL) Microcontroller hardware layer AUTOSAR Linux / ( MobLin ) RTE Security Security hardware
[email protected] 27.08.2009 . o o o o o Work plan Folie 2011: 2011: as open Publication specification 2010: Prototyped in SW 2010: & HW implementation Reference 2009: on Secure analysis 2008: requirements Security 12 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA Project Status Current Current work plan /milestones - board board architecture design - based car) based (lab demonstration
[email protected] 27.08.2009 . o o o o o Identification of e Folie Diagnosis: Diagnosis: diagnosis, “remote repair”.. remote activation,ECU Feature replacement.. Aftermarket: isolation/integration.. CE secure Party applications, User/Third Integration: V2I: POI, e danger V2V: information, warning, break.. local activeTraffic 13 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA Project Status - Call, e What donehas been I - Tolling, “remote vehicle function function control”.. Tolling,“remote vehicle - safety relevant relevant use safety - cases (D2.1) cases
[email protected] 27.08.2009 . o o o (D2.3/B) Identification ofpossibledark and evaluation Folie Threat and risk analysis based on taxonomy on based potential CC attack analysis riskThreat and attack e e warning with tamper (tamper messages, attacks Possible OEM, gain, harm financial reputation, gain, terrorism..)personal driver driver,hacker gain gain (harm information, motivationsAttack 14 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA Project Status - Tolling,e attack What donehas been II - Call, safety Call,attacks..) - side scenarios side scenarios - traffic control, control, traffic
[email protected] 27.08.2009 . o o Specification security (D2.3)of relevant requirements Folie Basic security requirements prioritization Basic security requirements control, privacy, access freshness, availability authenticity, regarding confidentiality, data Security requirements 15 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA Project Status What donehas been III
[email protected] 27.08.2009 EVITA security extension in every ECU? in every extension security EVITA Folie 16 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA HardwareOverall Architecture Deployment Deployment architecture I
[email protected] 27.08.2009 . . o o o By modules enables: applying EVITA o o o tomeet: levels Appropriate security hardware Cost security architecture security EVITA security extension in every ECU? in every extension security EVITA Folie Efficiently meet cost, security, and functional requirements and functional security, cost, Efficiently meet other witheach securely interact capable to All are modules Protection of allsecurity requirements functional different (security) requirements different protection security different costconstraints 17 - effective, flexible, andholisticflexible, vehicular effective, Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA HardwareOverall Architecture Deployment Deployment architecture I - critical ECUs architecture ECUs security for a holisticcritical
[email protected] 27.08.2009 . . . o o o EVITA o o o EVITA o o EVITA Folie Critical small ECU: ECU: Criticalmodule, lighting, e.g., small clock GPS Critical e.g., actuator: breaks, door locks, turn signal indicator sensors e.g., pedal Critical sensors: wheel, acceleration, Immobilizer module Front/rear Engine control Central (possibly) gateway V2X unit communication 18 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars full small small medium EVITA HardwareOverall Architecture module in 1 Deployment Deployment architecture II in less, but in less, security module in2 module – 2 high - 4 central 4 central multi - performance comm. performance ECUs - critical critical client ECUs - purpose ECUs purpose
[email protected] 27.08.2009 Folie 19 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA HardwareOverall Architecture a B c t r u e a a G t k o P
r E S s V Deployment Deployment architecture III m
S I a T e l A n l
s E s o V m r I a T l A l
E S P m E G e V a d I t T i e u A w m
a y m E e V d I T i u A m
H e V a I d N u
n s i o t , u
V r c E 2 s e X V m E . I . a T V f l u A l I T l
l A a A c i t r u b a a t g o
r E s V m I a T l A l
E n g i n e m E e V d I i T u A m
[email protected] 27.08.2009 . . . . . COUNTER according to AES but also advanced AES AES WHIRLPOOL verify and ≈ can generate that arithmetic ECC Folie - - - - 20 based based 256 A W PRNG 128 E H S N - I b R I Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars a S L s T E e P - EVITA Hardware SecurityModules : Symmetric
F d C GF(p) O
I h P C O : 16 x 64 a S : PRNG using a - s
L 2 h NIST NIST standardized 1
5 8 C 6 6 r : function ASIC w/ hash (allows Generic - y - 2 BSI p C G t
o C p Full g A F r M r i a : High m ( E p , p h G e S i ) c
C -
f - b i e M 1 u AIS20 AIS20 standard i l l 2 d d
f i / n 8
g A AE modes size version(draft!)
- b E E l o V bit monotonic counters at 1 Hz toas act c I k - T A 1 performance 256 w NIST NIST standard
6 A c i r t x C y h E
p 6
o T S t 4 o u R b g - n P r N i t a
t G p R m e h true random true random seed
o r N i s c s n e
G b o e o t d u . n d a I I e.g. GCM/CCM e.g. GCM/CCM with ≈ r n n y hash function function with ≈ hash t t e e r r 5 6 n n 1 4 a a 2 E
k
with ≈ l l k C
B N R B U L o
V A c g h i c M M i
p b
u ECB/CBC ECB/CBC block encryption/decryption b i l o d u i n n g M I 1 d
n E b - i a 0 l c t i o V r n 0 e r bit c y o
k t r 500 500 Mbit/s I M e b T n l H r a a A f z z a l 250 250 signatures/s
e
H C R c
NIST NIST standard 3 e I W P S 2 b C U
i t based an internal AES engine AES an internal based
i n t e r n a l 1 1 Gbit/s 1 1 Gbit/s throughput I SHA n - A A v e p p h p p N C i c l l l i i V P e c c
a a M U b - u t t A 3 i i elliptic curve elliptic s o o p
s n n p ) actually using using ) actually y l
i c s a t throughput e t i “secure “secure clock” o throughput m n
A c B o i p u n r e p s t R e l - i A c r c f o a M a m t c i o e m n
[email protected] 27.08.2009 . . . . (e.g., (e.g., providespre message software EVITA CPU and for application functionality the security hardware HW capacity with aof≈> and certificates security Internal and of ≈> capacity withvariables a Internal non Internal Folie - - 21 API A W time E H S N - I b R I Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars a S L s T : EVITA hardware interface to enforces a a : enforces well to EVITA hardware interface E - - - e P EVITA Hardware SecurityModules
F d C NVM RAM CPU O -
I h P C critical cryptographic ≈ at cryptographic criticaloperates functionality that O a S - s
L 2 h 1
5 8 C 6 6 r - y - 2 p C : Internal G t
o C p Full : Small volatile memory to store for instance runtime values : memory runtime for to storevolatileinstance Small g A : non Small F r M r i a m ( E p , p h G e S i ) c
C
f - b i e M 1 u i l l 2 d d
f i / n 8
g A size version(draft!)
b E E l o V c I k T A 1 w
6 A c i r t x C y h E
p 6
o T S t 32 4 o u R b g - n P r N i t a
t G p R m - e h -
o volatile memory to for keys storeinternal instance r N i s c s n e bit RISC
G b o e o - t d u . /post n d a I I r n n y t t e e r r 5 6 n n 1 4 a a 2 E
k
l l k C
B - N R B U L processing, sessionmanagement/control) o
V A c g microprocessor all tohandle logicsand h 64 64 kByte i c M M i
p b
u b i l o d u i n n g M I 1 d
n E b i a 0 l c t i o V r n 0 e r c y o
k t r I M e b T n l H r a a A f z z a l
e
H C R c
3 e I W P S 2 b C U
i t
512 512 kByte i n t e r n a l I n - A A v - e p p h defined access to the access defined p p N C i c l l l i i V P e c c
a a M U b u t t A i i s o o p
s n n p y l
i c s a t e t i o m n
A c B o i p u n r e p s t R e 100 100 MHz l - i A c r c f o a M a m t c i o e m n
[email protected] 27.08.2009 . . . . Meets Meets – Very fast symmetric slow but rather cryptography in hardware, hardware no ECC dedicated Virtually to identical EVITA the significant Designed to Folie but nonetheless practicable practicable but nonetheless 22 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars all in EVITA Hardware SecurityModules C C A M E , G S C C - r cost cost pressures y M 1 p 2 t
Medium Medium o f - / g 8
r A a suit both suit vehicle security vehicle p E h i c
b u 1 w i l 6 A d i i t x C n h E g
6
o T S b E 4 l u o R V b - c n I P N i k T t
t A G R m e
c o r N s r s n y e G p o e t t d o . g size version(draft!) r a p I I h n n : stringent i c t t e e
b r r 5 o 6 n n u 1 4 n a a 2
d
k l l k a
B N R B r L y o V A g of powerful multi powerful of i c M M
b u E i l d C i n U g M I 1
n
E and and b c i use cases, forV2X cases, but notsuitable use 0 l c t i h o V n 0 e r c i p o
k t r I M
– e b T b n l o H r a a A full u f z z a l n
e
H d C R c asymmetric asymmetric cryptography
a 3 e security I W r P S 2 y no dedicated hash hardware hash no dedicated b C U
i t
version except in that except it version has i n t e r n a l I n - requirements and requirements A A v e p p h p p N C i c l l l i i V P e c c -
a a M U b functions functions ECUs u t t A i i s o o p
n n s p y l
i c s a t e t i o m n
A c B o i p u n r e p s t R e l - i A c r c f o a M a m t c i o e m n
[email protected] 27.08.2009 . . . protected protected information sensors actuators to and Cannot any hardware provide by the processor) application hardware Reduced to a very single orcritical security provide process information Integrates Folie 23 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars EVITA Hardware SecurityModules accelerator accelerator all (i.e., are handled security credentials and protects and protects Small size version (draft!) small small ECUs cost efficiently process and generate and generate process efficiently E C U C E
E C c V - i h A V n M I i T p - E optimized symmetric AES optimized symmetric t I ,
A e T G b S based security, but enables but enables security, based
o r e A C u f x - a n M 1 t
e H d c 2 n
a f e s W / 8 r
i y o A n
E , i n sensors t e r n a l I n - A A v e p p h p p N C i c l l l i i V P e c c
a a M U b u t t A i i and s o o p
n n s p y l
i c s a t e t i o m n
A c B o i p u n r e actuators p s t R e l - i A c r c f o a M a m t c i o e m n
that
[email protected] 27.08.2009 SecureV2X application applications Vehicular Folie 24 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars Dependable VehicularSecurityArchitectures EVITA enabled EVITA enabled EVITA enabled infrastructure Continuous security from chain ITSto sensors infrastructures vehicle vehicle Cars & enabled enabled ECU V2X Head unit EVITA full EVITA EVITA Standard Standard ECU enabled enabled ECU enabled ECU enabled ECU enabled ECU EVITA EVITA medium medium small small small Sensors/Actuators enabled enabled ECU enabled ECU enabled ECU EVITA EVITA EVITA small small small small
[email protected] 27.08.2009 effective effective hardware security anchors environments in vehicular opportunities However, currently not available standards) Automotive security (or even proof hardware software attacks helps Vehicular hardware security hardware Standardized security Folie vehicular mechanisms vehicular security is essential essential 25 Marko Wolf, Marko escryptVehicularSecurity& Wolf, EVITA. Securityfor GmbH: Workshop MobileHardware IntelligentCAST Cars Conclusion and Outlook open open for the security for thesecurity of to act cost to act trustworthy and as effective, EVITA and and many attacks many physical prototypes be prototypes could (neither low (neither preventing - level norhigh level promising promising almost almost - level) all -
[email protected] Dr.-Ing. Marko Wolf Senior Security Engineer [email protected]
escrypt GmbH Lise-Meitner-Allee 4 44801 Bochum
[email protected] phone: +49(0)234 43 870 209 fax: +49(0)234 43 870 211