Upload
phamnga
View
212
Download
0
Embed Size (px)
Citation preview
EXTERNAL USE
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners.© 2016 NXP B.V.
RICHARD SOJA
OTTAWA, CANADA20 MAY, 2016
INTERNATIONAL CRYPTOGRAPHIC MODULE CONFERENCE
CONNECTED CAR SECURITY FOR V2X
EXTERNAL USE1
THE CONNECTED CAR …A cloud-connected computer network on wheels
• A networked computer• up to 100 ECUs per car• and many sensors• inter-connected by wires• more and more software
• Increasingly connected to its environment
• to vehicles & infrastructure• to user devices• to cloud services NFC
802.11p
802.11p
Radar
LF, UHF
NFC
Portable Device Connectivity
V2I
V2V
Remote Keyless Entry
NFC
Ethernet, CANFlexRay, LIN
NFC
Digital RadioSatellite Radio
Radio Data Services
EXTERNAL USE2
Protect Privacy
Easy Access
• Fully Connected Car• External & internal interfaces• Wired & wireless interfaces
Prevent unauthorized Access
High Vulnerability & Impact
• Increasing number of nodes• More advanced features• X-by-Wire
Valuable Data
• Collection of data/info• Storage of data• Diagnostic functions
Increase Safety
Cloud Connection
In-Vehicle E&ECar2X
Consumer Device Integration
… IS AN ATTRACTIVE TARGET FOR HACKERS…
EXTERNAL USE3
The Scary Things Hackers Can Do to Your CarSource: BBC News
Source: CNN
Source: abc News
Source: NBC News
…WITH HIGH PUBLIC AWARENESS
Source: CBS NewsSource: The Wall Street Journal
EXTERNAL USE4
DEFENSE IN DEPTHSecuring the Vehicle’s Electronics Architecture
• Multiple security techniques, at different levels in the architecture• To mitigate the risk of one component of the defense being compromised or circumvented
Preventaccess
Detectattacks
Reduceimpact
Fix vulnerabilities
Authenticate code(secure boot)
Firewalls (context-aware message
filtering)Secure messaging
Separate / isolated domains within
network
M2M authenticationFirewalls (isolate access points)
Secure OTA firmware updates
Resource control(virtualization)
Intrusion detection systems (IDS)
Secure OTA policy updates (firewall,
IDS)
Run-TimeIntegrity Protection
SECUREPROCESSING
SECURENETWORK
SECUREINTERFACES
EXTERNAL USE5
NXP AUTOMOTIVE VEHICLE SECURITY ARCHITECTURE (4 +1 SOLUTION)
NXP #1 in Auto HW Security
4-Layer Cyber Security Solution
Plus ‘Best In Class’ Car Access Systems
Recognized Thought & Innovation Leader
Partner of Choice for OEMS, T1s & Industry Alliances
EXTERNAL USE6
CAR CONTROL SYSTEMS
Ethernet
Body CAN (HSCAN/FTCAN)Powertrain CAN / FlexRay (HSCAN/FlexRay)
Instrument CANLIN (LIN 1.3/2.x) Diagnosis CAN or Ethernet
Secure MCU
IVN security
No security
Secure Element
…
…
door controlfront left
door controlfront left
door controlfront left
…door control
front right
HVACmain
parkheating
top columnmodule
parkingsensors
rear powermodule
levelsensor
garageopener
Heaterfan
front powermodule left
front powermodule right
wipercontrol
steering sensors
enginecontrol
drive-by-wire
anti-lockbrake
transmissioncontrol
(adaptive) cruisecontrol
headlightcontrol
steer-by-wire
stability control
rain lightsensor
immobilizer
lightingswitch
flapper 1
flapper 7
startstop
key
antenna
roofmodule
interiorlighting
car accessmodule
AFS
AFS
energymanager
seatcontrol
LEDAmbient
LEDAmbient
infotainmentunits
powersteering
airbagcontrol
data recorder(EDR, tacho)
airbag
airbag
NFC
mPOSV2X dashboard
Gateway(s) / BCM(s)
ADAS
cloud services
3G4G
BLE NFC WPC
EXTERNAL USE7
SECURITY HARDWARE – what are the options?
ECU security requirements
(none)• secure IVN comm.• firewalling (shield)
• secure firmware• secure IVN comm.• firewalling (shield)
• tamper-resistant M2M authentication
• secure firmware• secure IVN comm.• firewalling (shield)• tamper-resistant
M2M authentication
Incremental cost*
(none) + ++ ++ +++
Applications Body & Comfort• HVAC• seat control• …
Stability & safety:• airbag• ABS/ESP• …
ADAS / self-driving• X-by-wire• valet parking• …
M2M authentication:• payment• car access via phone• …
Advanced interfaces:• V2X / Telematics• connected gateway• …
* compared to the non-secure configuration (leftmost)
ECU
MCU
TRX
IVN
ECU
MCU SE
TRX
IVN
ECU
Secure MCU SE
TRX
IVN
ECU
MCU
ST
IVN
Secure transceiver
ECU
Secure MCU
TRX
IVN
Secure MCU Hybrid securitySecure ElementNo security
ECU - Electronic Control UnitMCU - Microcontroller UnitTRX - Transmitter/Receiver InterfaceIVN - In Vehicle NetworkST - Secure TransceiverSE - Secure Element
EXTERNAL USE8
FUNCTIONAL vs. PHYSICAL SECURITY
Physical attacks are difficult… but they may lead to remote (scalable) attacks!
Functional Security–Standard crypto toolbox–Virtualization techniques–HW accelerators–Firewalls–…
Remote (Logical) Attacks
Attack Potential:(enhanced) basic
Physical Security–Protection against side-channel analysis (timing, power, em, etc…)–Protection against fault injection–Protection against reverse engineering–HW-SW co-design–…
Local (Physical) Attacks
Fault InjectionAttacks
Attack Potential:moderate to high
SE
HS
M
Information LeakageAttacks
EXTERNAL USE9
SECURITY HARDWARE FEATURES AND THEIR APPLICATION
Secure Boot
Chain of Trust
Symmetric Key Crypto Functions
Asymmetric Key Crypto Functions
EVITA 1, 2, 3 Compliance
SHE Protocol
FOTA updates
AES, RSA, ECC, SHA cryptographic hardware accelerators
True Random Number Generators
Pseudo Random Number Generators
Security Life-cycle Management
Password Protected Debug Access
Password Protected Flash Prog.
Secret Key Storage
Zeroised memory
Tamper proof flash reprogramming audit trail
Side Channel Attack Countermeasures
Trust Zone
Permanently Secure Flash Regions
EXTERNAL USE10
• A tamper-resistant platform, that protects against physical attacks− Proven security, via 3rd party evaluation and certification (Common Criteria)
• Securely hosts security applications and their confidential data− Banking cards, electronic passports, V2X, Telematics, …
• Provides secure crypto processing− AES, RSA, ECC, TRNG, …
• And secure key- and certificate handling− Generate and store secret keys− Store and validate Certificates− Manage security profiles
SECURE ELEMENT – OVERVIEW
Application
Processor
SIM
NFC
EXTERNAL USE11
• Increased security level at each stage of the development lifecycle
• Non-reversible, non-revocable• Enable application
development, debugging and failure analysis
• Without compromising security in the production vehicle
SECURITY THROUGHOUT THE ENTIRE LIFECYCLE
Sec
urity
Lev
el
Out of Fab
Application Development
In Field
Vehicle Production
Field Return
Vehicle Lifecycle
EXTERNAL USE12
V2X APPLICATION
EXTERNAL USE13
SECURING V2X COMMUNICATIONS
PRIVACY:
CAN OTHERS TRACK ME WHILE DRIVING?HIGH DEGREE OF ANONYMITY (IDENTITY HIDING)REQUIRED TO PREVENT TRACKING
SECURITY:
WAS THE MESSAGE NOT MODIFIED? DID IT REALLY ORIGINATE FROM CAR A? CAN I TRUST CAR A? CAR AND MESSAGE AUTHENTICATION REQUIRED TO PREVENT TRAFFIC DISRUPTION OR IMPERSONATION
Hazard WarningVehicle-to-Roadside
communication
Seeing around corners
Inter-vehicle communications
EmergencyVehicle Warning
Emergency Event
EXTERNAL USE14
SECURING V2X COMMUNICATIONSPerformance & Security requirements
• Digital signature: ECDSA P-256 (~ RSA 3072 / AES 128)− for authentication (sender identity, content integrity)
− and non-repudiation (no plausible deniability)
• Performance level:− broadcast (TX) up to 20 safety messages / s
− receive (RX) many more messages (100-1000 / s)
• Security level:− secret key material (pseudo-identities) involved in signature generation (TX)
− only public key material involved in signature verification (RX)
• Architecture driven by separation of concerns:− Secure Element: highly-secure message signing and ID management (TX)
− Verification accelerator: high-speed message verification (RX)
TX RX
Operation Signature generation Signature verification
Rate Low: ≤ 20 / s High: 100-1000 / s
Security level High: protection of private keys(=car identity)
Modest: only non-secret data
TX = 1:N RX = N:1
Public key exchange(can be part of message)
Hello!sign
Hello! Hello! Hello!verify
EXTERNAL USE15
CLOUD SERVICES
EXTERNAL USE16
OEMServer
FIRMWARE OVER THE AIR (FOTA) CHALLENGES
• Automobiles are cyber-physical devices− A bad FOTA can have dangerous consequences
• Security should be examined holistically from end-to-end− Perhaps modeled on PCI§ security standards
• Traditionally, security belonged in the IT domain− Embedded Systems Designers need to acquire this skill
set
• Legal restrictions on OEM access to private vehicle information− e.g. California denies OEMs access to DVM records
Central In-vehicle FOTA Server
e.g. Telematics Unit,
Gateway
In-vehicleFOTA Clients
e.g. Powertrain ECU
§ Payment Card Industry
CellularNon-repudiated
and SecureData Transfer
Secure NVM storageTamper Proof
Hardware Audit Trail
Authenticated Data Transfer
Secure NVM storageTamper Proof
Hardware Audit Trail
EXTERNAL USE17
• Security must be designed into the system architecture definition− Embedded Systems Designers need to acquire security skill sets
• End-to-end security solutions must be developed
− From sensor authentication to secure communication to the cloud.
• Hardware security accelerators and architectural components are needed
− For performance, but also to withstand more advanced (physical) attacks
• Security lifecycle management must be integrated
− Through the entire product lifecycle, from system development to end-of-life.
• Companies with a solid history and highly skilled workforce in both Automotive Electronics and Security Technology will have the greatest success in the Connected Car market
SUMMARY
EXTERNAL USE18
THANK YOU!
Securely!
Telematics Solutions(i.MX Applications Processors)
Embedded MCUs and Applications Processors (with integrated communication interfaces, e.g. CAN/CANFD, Flexray, LIN, MediaLB, Ethernet and Application layer Software stacks)
Automotive Gateway Solutions(MPC5xxx, S32G MCUs)
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners.© 2016 NXP B.V.