 AUTOSAR Security Modules

Current Status

V1.00 | 2015-05-27
 Agenda

1. AUTOSAR

2. CAL & CSM

3. SecOC

2/40
 AUTOSAR
Introduction

 Automotive Open System Architecture

 Software for electronic control units (ECU)

Software architecture

SWC/Application

RTE

SYS

COM

LIB MCAL CDD

Microcontroller

3/40
 AUTOSAR
Introduction

Software component (SWC) / Application

 Implementation of functionality of ECU
 Runs on microcontroller
 Sends & receives data to and from other ECUs (in network)

SWC/Application

Microcontroller

4/40
 AUTOSAR
Introduction

Run time environment (RTE)

 Provides interface to basic software (BSW)

SWC/Application

RTE

Microcontroller

5/40
 AUTOSAR
Introduction

System services (SYS) and libraries (LIB)

 Cryptographic modules

Operating system (OS)

Complex device drivers (CDD)

SWC/Application

RTE

SYS

LIB CDD

Microcontroller

6/40
 AUTOSAR
Introduction

Communication modules (COM)

 send & receive data on automotive bus systems
> Controller Area Network (CAN)
> Local Interconnect Network (LIN)
> FlexRay
> Ethernet
> ...

SWC/Application

RTE

SYS

COM

LIB CDD

Microcontroller

7/40
 AUTOSAR
Introduction

Microcontroller abstraction layer (MCAL)

 BSW & SWC independent of microcontroller

SWC/Application

RTE

SYS

COM

LIB MCAL CDD

Microcontroller

8/40
 AUTOSAR
Motivation for security modules in AUTOSAR

New security challenges

 Automotive software plays central role in car innovations
 Car connectivity will provide an essential part for value-added features

Car security – strict and secure access control to…

 … the car and its parts (ECU)
 … sensitive car data (odometer, motor characteristic)
 … passenger’s data (GPS)
 … intellectual property of the OEM

9/40
 AUTOSAR

AUTOSAR security modules

CAL & CSM

 Basic cryptographic primitives for BSW and application

SecOC
 Authenticated communication seamlessly integrated into the AUTOSAR
communication stack

10/40
 Agenda

1. AUTOSAR

2. CAL & CSM

3. SecOC

11/40
 CAL & CSM
Introduction

Crypto Abstraction Library – CAL

 BSW, CDD or SWC use CAL by
inclusion
 Memory allocated by caller
SWC/Application
 Enables re-entrance

CAL RTE
Crypto Primitive Library – CPL
SYS
 SW implementation of CPL
CSM
cryptographic primitives
CRY CRY
COM
Crypto Service Manager – CSM
SHEDRV
 SWC use CSM through RTE LIB MCAL CDD

 BSW/CDD use CSM by inclusion Microcontroller SHE

 Asynchronous operation possible

 Callback indicates application

Crypto library module – CRY

 Implementation of cryptographic  Usage of SW or crypto HW possible
primitives
12/40
 CAL & CSM
Supported Cryptographic Services

 Abstract definition of cryptographic services

 No definition for a concrete cryptographic algorithm

Basic Cryptography Key Management Miscellaneous

 Hash  Key derivation  Compression/
 Message function (KDF) Decompression
authentication  Key generation,  Checksum
code (MAC) update*, export,
 Generation import
 Verification  Key exchange
protocols
 Random number
generation
 Encryption/
Decryption
 Symmetric
 Asymmetric

 Signatures *Csm only

13/40
 CAL & CSM
Cryptographic Service Configuration

AsymEncryptService SymEncryptService HashService

AsymEncrypt_1 SymEncrypt_1

RSA2048 AES

AsymEncrypt_2 SymEncrypt_2

RSA4096 TwoFish

 Individual configuration of each required service

 Set of distinct configurations
 Specific implementation for each service configuration

14/40
 CAL & CSM
Cryptographic Service Configuration

AsymEncryptService SymEncryptService HashService

AsymEncrypt_1 SymEncrypt_1

RSA2048 AES

AsymEncrypt_2 SymEncrypt_2

RSA4096 Serpent

 Individual configuration of each required service

 Set of distinct configurations
 Specific implementation for each service configuration
 Implementations may change in future

15/40
 CAL & CSM
Cryptographic Service Configuration

AsymEncryptService SymEncryptService HashService

AsymEncrypt_1 SymEncrypt_1

RSA2048
ECC256 AES

AsymEncrypt_2 SymEncrypt_2

RSA4096
ECC512 Serpent

 Individual configuration of each required service

 Set of distinct configurations
 Specific implementation for each service configuration
 Implementations may change in future
 API compatibility not ensured

16/40
 CAL & CSM
General Usage

Streaming services
Indefinite long data stream

...
Start Update Update Update ... Update Finish

Result

 Initialization with Start function (e.g. Csm_SymEncryptStart)

 Update function (e.g. Csm_SymEncryptUpdate)
 Finish function (e.g. Csm_SymEncryptFinish)

Non-streaming services
 Example: Csm_GenerateRandom

17/40
 CAL & CSM
Hardware-based Security

SWC/Application

RTE

CSM SYS

CRY CRY

LIB MCAL SHEDRV CDD

Microcontroller SHE

 CSM services use cryptographic hardware or software implementation

18/40
 CAL & CSM
Hardware-based Security

Controller
Secure Zone

SHE – Secure Hardware Extension

AES
Control
CPU
Logic RAM + Flash +
ROM

Peripherals (CAN, UART, ...)

Secure Hardware Extension (SHE)

 On-chip extension to microcontroller
 Memory for secure storage of (cryptographic) data
 Hardware extension for cryptographic primitives
 Specified by Hersteller Initiative Software (HIS)

19/40
 CAL & CSM
SHE - Performance

 AES ECB Encryption: SHE vs. Software library

2002.5
2000 1 Block

1800 3 Blocks

1600
6 Blocks
1400

1200 1111.6
µs 1000

800

600

400

200
24.94 13.5
0
SHE 64 Mhz SW 64 Mhz SHE 120 Mhz SW 120 Mhz

Measured on a Freescale MPC5646C (w/ CSE), MICROSAR Stack with CSM and SHE driver with the Vector
‘AUTOSAR Measurement and Debugging (AMD) Runtime Measurement (Rtm)‘ Tool.
1 Block = 16 bytes

20/40
 Agenda

1. AUTOSAR

2. CAL & CSM

3. SecOC

21/40
 SecOC
Introduction

 SecOC is parallel to PDUR

 PDUR routes PDUs
 PDU is a message on a bus

SWC/Application

RTE

SecOC PDUR
SYS COM

LIB MCAL CDD

Microcontroller

22/40
 SecOC
Introduction

 SecOC is parallel to PDUR

 PDUs are routed through SecOC
 PDU & authentication sent &
received through IF or TP modules
SWC/Application
 COM module combines data into
PDUs RTE
 IF modules send & receive
COM
atomic messages
SecOC PDUR
 TP modules manage messages
longer than atomic messages SYS COM IF/TP

LIB MCAL CDD

Microcontroller

23/40
 SecOC
Introduction

 SecOC is parallel to PDUR

 PDUs are routed through SecOC
 PDU & authentication sent &
received through IF or TP modules
SWC/Application
 SecOC uses Cal or Csm
RTE
 RTE-interface
CAL
 Authentication: MAC or signature COM
CSM SecOC PDUR
SYS COM IF/TP

LIB MCAL CDD

Microcontroller

24/40
 SecOC
Functionality
ECU 1 ECU 3

Secured PDU

BUS

 SecOC sends & receives secured PDUs

 Secured PDUs are protected against
 Manipulation
 Random errors

25/40
 Replays
 SecOC
Sending a secured PDU
ECU 1

DataID 1
PDU 1

Secured PDU

 DataID assigned to secured PDU

 Authentic PDU

26/40
 SecOC
Sending a secured PDU
ECU 1

DataID 1
PDU 1

Fresh. Value
Secured PDU

 Freshness value
 Monotonic counter to prevent replay attacks

 Implementation
 Timestamp
 Counter

27/40
 SecOC
Sending a secured PDU
ECU 1

DataID 1
PDU 1

Fresh. Value
Secured PDU
MAC Generator

MAC

 DataID, PDU, freshness value form input to MAC generator

 Symmetric key required for MAC generation
 SecOC may use CMAC to benefit from SHE

28/40
 SecOC
Sending a secured PDU
ECU 1

DataID 1
PDU 1
LSBs
Fresh.
Fresh. Value PDU 1 Value MAC
Secured PDU
MAC Generator

MAC

MSBs

 PDU, truncated freshness value, truncated MAC form secured PDU

29/40
 SecOC
Sending a secured PDU
ECU 1

DataID 1
PDU 1

Fresh.
Fresh. Value PDU 1 Value MAC
Secured PDU
MAC Generator

MAC

MSBs

 NIST Special Publication 800-38B (CMAC)

 Truncated MAC length ൒ 64 bits

Truncated MAC length must be thoroughly chosen dependent on

network attributes and security requirements

30/40
 SecOC
Reception of a secured PDU
ECU 1 ECU 3

DataID 1 DataID 1
PDU 1 PDU 1
replace LSBs
Fresh.
Fresh. Value PDU 1 ValueMAC Ver. Fresh.
Secured PDU
MAC Generator

MAC

 Authentic PDU is parsed

 DataID must be identical for sender and receiver
 Truncated freshness value is synchronized to form verification freshness
value

31/40
 SecOC
Reception of a secured PDU
ECU 3

DataID 1
PDU 1

Fresh.
Ver. Fresh. PDU 1 Value MAC Ver. Fresh.
+ Secured PDU
0..01 0..0
=
Ver. Fresh.

 Verification freshness value ൐ stored freshness value (replay attacks)

 If not: Increment MSBs of verification freshness value

 Synchronization between sender and receiver

32/40
 SecOC
Reception of a secured PDU
ECU 1 ECU 3

DataID 1 DataID 1
PDU 1 PDU 1

Fresh.
Fresh. Value PDU 1 Value MAC Fresh. Value
Secured PDU
MAC Generator MAC Generator
compare
MAC MAC

 DataID, PDU, verification freshness form input to MAC generator

 Symmetric key must be identical for sender and receiver
 MSBs of calculated MAC are compared to truncated MAC
 If successful, PDU is forwarded
 If not, PDU is dropped

33/40
 SecOC
System Configuration
ECU 1 ECU 2 ECU 3

PDU 1 PDU 1 PDU 1

PDU 2 PDU 2

PDU 3 PDU 3

BUS

34/40
 SecOC
System Configuration
ECU 1 ECU 2 ECU 3

PDU 1 PDU 1 PDU 1

PDU 2 PDU 2

PDU 3 PDU 3

BUS

35/40
 SecOC
System Configuration
ECU 1 ECU 2 ECU 3

DataID 1 DataID 1 DataID 1

PDU 1 PDU 1 PDU 1

DataID 2 DataID 2
PDU 2 PDU 2

PDU 3 PDU 3

BUS

 Assignment of DataIDs to the to-be-secured PDUs

36/40
 SecOC
System Configuration
ECU 1 ECU 2 ECU 3

DataID 1 DataID 1 DataID 1

Fresh. Fresh. Fresh.
PDU 1 Value MAC PDU 1 Value MAC PDU 1 Value MAC

DataID 2 DataID 2
Fresh. Fresh.
PDU 2 Value MAC PDU 2 Value MAC

PDU 3 PDU 3

BUS

 Specification of the layout of the secured PDU

37/40
 SecOC
System configuration
ECU 1 ECU 2 ECU 3

DataID 1 DataID 1 DataID 1

Fresh. Fresh. Fresh.
PDU 1 Value MAC PDU 1 Value MAC PDU 1 Value MAC

DataID 2 DataID 2
Fresh. Fresh.
PDU 2 Value MAC PDU 2 Value MAC

PDU 3 PDU 3

BUS

 Assignment of keys to the secured PDUs

 Initial keying
 Re-keying

38/40
 SecOC
System configuration
ECU 1 ECU 2 ECU 3

DataID 1 DataID 1 DataID 1

Fresh. Fresh. Fresh.
PDU 1 Value MAC PDU 1 Value MAC PDU 1 Value MAC

DataID 2 DataID 2
Fresh. Fresh.
PDU 2 Value MAC PDU 2 Value MAC

PDU 3 PDU 3

ECU1_Extract ECU2_Extract ECU3_Extract

39/40
For more information about Vector
and our products please visit

www.vector.com

Author:
Philipp Werner, Armin Happel, Ralf Fritz, Steffen Keul
Vector Informatik GmbH

© 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.00 | 2015-05-27