Quantum Safe Authenticated Key Exchange Protocol for Automotive

Quantum Safe Authenticated Key Exchange Protocol for Automotive

Quantum Safe Authenticated Key Exchange 4 connection to the OEM Backend for ECUs, that already in the field. The symmetric algorithms used are supposed to be secure against quantum attacks and these keys can Quantum Safe Authenticated Key Exchange be used as anchors of trust, something that of course requires a centralized key man- Protocol for Automotive Application agement in place and the usage of hardware security anchors, such as HSMs or TPMs. Some ideas worth discussing are the following: Julius Hermelink1, Thomas P¨oppelmann2, Marc St¨ottinger3, Yi Wang4, and Taking advantage of a centralized architecture allows OEMs to focus on the con- Yong Wan4 nected and less resource-constraint Gateway ECUs as a first step. Future domain- based automotive architectures should be already well-suited for this purpose. 1 Research Institute CODE Handling the security use cases for older ECUs in the field in a specialized way: Universit¨atder Bundeswehr M¨unchen different certificates in parallel, only new ECUs handle the PQ Signatures. Older 2 Infineon Technologies, Germany ECUs could only get updates in controlled repair-shop environment, in case the clas- 3 Continental AG, Germany sical certificates are already broken. 4 Continental Automotive, Singapore “Smooth transition”: using classic certificates to perform secure online flashing. In the extreme case that asymmetric cryptography is broken, before a transition has been made: the trust anchor can be a (e.g. hardware aided) symmetric key. This al- Abstract. In this work, we propose an instantiation of a quantum-safe ready poses some requirements for automotive development, to incorporate hard- security protocol for authenticated key establishment (AKE) with for- ware security into the most critical ECUs, and focus on algorithm “agility” when ward secrecy. As core primitives, we use Newhope and XMSS and avoid designing those. signatures in the key exchange to achieve better performance. Exem- plary, the implemented protocol could be used to establish a secured and authentic communication channel between the electrical control unit (ECU) and a testing device for on-board diagnosis (OBD). To verify the 3 Conclusion feasibility, we implement an XMSS-based public key infrastructure (PKI) and the AKE protocol on the AURIX automotive embedded microcon- In conclusion, the technological transformation originating from the eve of quantum troller platform. We provide a breakdown of cycle cost and communica- tion overhead and demonstrate that a modern post-quantum AKE can computers poses a variety of challenges and risks for the automotive industry. In our be executed efficiently on our target platform. presentation, we want to address those and discuss some ideas regarding the steps needed towards overcoming them. 1 Introduction The automotive sector has seen a huge increase of connectivity and automation References over the last decade, resulting in the necessity for strong cryptography to preserve privacy, confidentiality, and authenticity of safety-critical data. In addition, most [1] Lov K. Grover. A fast quantum mechanical algorithm for database search. In Proceedings applications and services implemented in each automotive electrical control unit of the Twenty-eighth Annual ACM Symposium on Theory of Computing, pages 212–219. 1996. (ECU) need to be secured over the entire life cycle. Diagnostic services of an ECU [2] Michele Mosca. Cybersecurity in an era with quantum computers: will we be ready? 2015. are one of the most important feature of every automotive ECU. Thus, these [3] National Institute of Standards and Technology. Post quantum cryptography, 2018. diagnostic service must be protected against unauthorized usage throughout the [4] Peter W. Shor. Algorithms for quantum computation. In Proceedings 35th Annual Sympo- entire life cycle of the ECU. During a remote diagnostic service for a software over sium on Foundations of Computer Science, pages 124–134. IEEE Computer Society Press, the air update, a session key is required to be exchanged between the ECU and 1994. the back end to authenticate and optionally encrypt the transferred data. Hence, [5] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms cryptographic schemes are implemented to prevent an abuse of the functions of on a quantum computer. 26:1484–1509, 1997. the diagnosis service to carry out attacks against the ECU. A quantum computer breaking common cryptographic schemes in the future could compromise products deployed much earlier with severe implications for the safety of automotive products still in use. This issue is currently addressed by the cryptographic community and standardization bodies. The main driv- ing force is the NIST post-quantum cryptography standardization process [32], 69 J. Hermelink et al. 2 Hermelink et al. which is currently in round 3 with 15 schemes remaining [33]. In parallel, NIST is working on an official standard [16] for the stateful hash-based signature schemes XMSS [20] and LMS [31]. The schemes are promising due to their well under- stood security level and high level of trust. While the schemes instigated by NIST are most likely a major foundation for future secured systems, it is not sufficient to only look at isolated schemes. Most use cases in the automotive domain, e.g., secured channel establishment for remote diagnosis services, require more advanced protocols (see [11]). In this context, it is not sufficient to simply establish a shared secret to communicate using symmetric encryption, especially when a remote connection is used for diagnostic services. Both parties may need forward secrecy and mutual authen- tication, which usually implies the need for long term certificates. It is thus important to investigate the integration of NIST PQC primitives into protocols and real-world systems and to provide feedback on the suitability of possible future algorithms. In general, classic authenticated key exchange (AKE) protocols use a Diffie- Hellman key exchange that is authenticated with a signature and symmetric mes- sage authentication code (MAC). Popular examples are SIGMA [30] or Trans- port Layer Security (TLS) [36]. However, with the need for a migration to post- quantum AKE several issues arise. First, the size of certain elements (e.g., public keys and signatures) is considerably larger than for RSA or ECC. This may lead to increased latency and memory requirements. Moreover, it currently seems that post-quantum digital signatures are more complicated to construct and to secure than public key encryption (PKE) or key encapsulation mechanisms (KEM). In addition, they are typically slower than PKE schemes of a comparable security level (see Section 3) and may even exhibit no deterministic runtime. Such non deterministic runtime may make it impossible to guarantee a response within a defined timeframe. On the other hand, stateful hash-based signatures look very promising due to the high confidence level. However, the usage of stateful hash- based signatures requires more careful management of the state of the private key compared to stateless signature schemes. As a consequence, the practical deployment of PQC in the automotive do- main appears challenging due to often limited computational power and re- quirements for defined response times. First works already implemented and optimized schemes like Newhope for automotive microcontrollers [18]. However, it is necessary to increase the understanding of the cost and performance of a full AKE. In addition, it is necessary to determine where specific low-level optimizations (e.g., assembly code, compiler directives) are most effective. A promising proposal for efficient AKE is a protocol proposed by Guilhem, Smart, and Warinschi [37] that explicitly avoids signing operations in the protocol. The protocol achieves authenticated key exchange between devices by using an IND- CPA secured key exchange protocol, an IND-CCA secured private key encryption protocol, a symmetric cipher, and a hash function for message authentication. Contribution. In this work, we investigate challenges and the performance of AKE protocols designed for instantiation with quantum-safe algorithms [37] 70 Quantum Safe Authenticated Key Exchange Quantum Safe Authenticated Key Exchange 3 on the automotive microcontroller platform AURIXTM[22]. We provide an in- stantiation of the protocol with a selection of ciphers that aim for high security and simple implementation. We thus employ Newhope1024-CPA-KEM [2] for ephemeral key exchange, NewHope1024-CCA-KEM for encrypted-based authen- tication, AES256-GCM for data encryption and SHA3 as MAC. To protect the PKI we use XMSS-SHA2 10 256 [20] signatures. We chose a lattice-based KEM scheme for the session key exchange for having a relatively small key size, good performance, and fast key generation for ephemeral key exchange. We selected a stateful hash-based signature scheme for the verification of the long term certifi- cate because of the small public key and very good long term security properties. To get a better understanding of the lower boundary of the overhead and prac- ticability of AKE protocol, we implemented the entire scheme using open-source reference implementations of the cryptographic algorithms. As an initial step, we used reference implementations to identify possible bottlenecks and to get the big picture on the overall performance of the AKE protocol and the certificate validation. We provide information on message sizes and discuss standalone per- formance of the cryptographic

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us