SHE Secure Hardware Extension Data Security for Automotive Embedded Systems Workshop on Cryptography and Embedded Security Embedded World @ Nuremberg, February 2012
Content Data Security - What does it mean for Automotive? SHE - Secure Hardware Extension - A new Standard? SHE - Implementation Outlook 1
Data Security What does it mean for Automotive? Areas of Use Applications EVITA Security Categories 2
Areas with Demand for Security It s not only onboard electronics that have an impact 3
In-Vehicle Data Security Data Security on the road today On-chip Flash/ROM read-out protection against unauthorized access Solution by Fujitsu: Flash/ROM security Available on 16LX,16FX, FR, FCR4 Future, Enhanced Data Security Protect entire car system not limited to Flash/ROM read-out prevention Authentication, Secure Communication and Data Storage within vehicle between vehicles (C2C) between vehicle and infrastructure (C2X) En-/Decryption is key for future state-of-the-art MCUs Embedded and ASSP solutions will find their market segment Complexity of security implementations scales with use case 4
Target Applications Theft protection / Immobilizer Prevent unauthorized operation of vehicle Disable ignition and alike Component Protection Membership validation of all ECUs built in a particular vehicle Exchanging 1 ECU without authentication degrades functionality as unauthenticated functions will not work stops operation of all networked ECUs at next system start E.g. when engine control ECU is affected Feature Activation Enables certain functions in the delivered SW-package Gives OEM opportunity in after sales revenues 5
ECUs to be protected by Cryptography Gateway Body Computer Module 1 Body Computer Module 2 Climate Control Thermo Management Unit Active Engine Mount Instrument Cluster Night Vision Battery Management System Charger Safety Computer Adaptive Cruise Control Engine Control Gear Box Electronic Steering Column Lock Power Electronics Hybrid Central Computer Rear Seat Entertainment Sound DVDC TV-Tuner 21 ECU in total SOP 2014 6
EVITA European research project June 2008 Dec 2011 E-safety vehicle intrusion protected applications Objective: Design, verify, and prototype an architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise when transferred inside a vehicle. More found at http://evita-project.org/index.html 7
Security Models - Categorization Full EVITA HSM Medium EVITA HSM Light EVITA HSM V2X communication On-board communication On-board communication Maximum level of functionality, security and performance Asymmetric cryptographic engine & Hash engine User-programmable functionality Maximum level of functionality and security Symmetric cryptographic engine User-programmable functionality Optimized for low cost HW-solution Symmetric cryptographic engine e.g. AES-128 Pre-defined functionality Secure CPU @ 100 MHz Secure CPU @ 25 MHz Secure Zone no CPU needed 64k 64k Optional NV Memory 512k 512k Optional NV RAM PRNG with TRNG seed PRNG with TRNG seed Optional T/PRNG Security LT > 20 years 8
SHE Secure Hardware Extension A New Standard? SHE - Security Objectives SHE - Building Blocks SHE - Performance Requirements 9
HIS - SHE HIS = Hersteller Initiative Software SHE = Secure Hardware Extension - meets Light EVITA HSM Specification by HIS Concept: Add a Secure Zone Prevent user access to security functions other than those given by logic Link to HIS & SHE: HIS portal on Security 10
SHE - Security Objectives Protect cryptographic keys from software attacks Provide an authentic software environment Let the security only depend on the strength of the underlying algorithm and the confidentiality of the keys Allow for distributed key ownerships Keep the flexibility high and the costs low 11
SHE Building Blocks (1) MCU with Secure Zone SHE data storage - volatile - non-volatile - for KEY & MAC Access only via defined command interface 12
SHE Perspective from Specification (2) SHE specifies Secure Zone components and algorithms Cryptography En-/decryption unit AES 128 algorithm ROM Secret key storage SECRET_KEY Unique key storage UID RAM RAM key storage PRNG key storage RAM ROM Cryptography NV-Memory NV-Memory Boot key & MAC storage Master key, general purpose key storage 13
SHE Perspective from Specification (3) Cryptography carries Encryption unit AES 128-based Applicable Standard Decryption unit AES 128-based RAM Cryptography NV-Memory CMAC Cipher-based Message Authentication Code generator ROM Miyaguchi-Preneel One-way compression function; compressed data cannot be recovered Input requests 128-bit wide chunks of data stream Outputs Hash-values to en-/decoding unit 14
SHE Perspective from Specification (3) Cryptography carries Encryption unit AES 128-based Applicable Standard Decryption unit AES 128-based CMAC Cipher-based Message Authentication Code generator RAM ROM NV-Memory Miyaguchi-Preneel One-way compression function; compressed data cannot be recovered Input requests 128-bit wide chunks of data stream Outputs Hash-values to en-/decoding unit 15
SHE Perspective from Specification (4) RAM carries RAM_KEY Temporary key used for arbitrary operations RAM Cryptography NV-Memory PRNG_KEY Key used by the Pseudo Random Number Generator ROM PRNG_STATE Keeps status of Pseudo Random Number Generator 16
SHE Perspective from Specification (4) RAM carries RAM_KEY Temporary key used for arbitrary operations Cryptography NV-Memory PRNG_KEY Key used by the Pseudo Random Number Generator ROM PRNG_STATE Keeps status of Pseudo Random Number Generator 17
SHE Perspective from Specification (5) ROM carries SECRET_KEY Unique key Used for im-/export of all other keys Has to be created with true random number generator (off-chip TRNG ) at production RAM ROM Cryptography NV-Memory UID Unique identifier Authenticates MCU Both SECRET_KEY and UID have to be fixed at production time 16 byte for SECRET_KEY and 15 byte for UID 18
SHE Perspective from Specification (5) ROM carries SECRET_KEY Unique key Used for im-/export of all other keys Has to be created with true random number generator (off-chip TRNG ) at production RAM Cryptography NV-Memory UID Unique identifier Authenticates MCU Both SECRET_KEY and UID have to be fixed at production time 16 byte for SECRET_KEY and 15 byte for UID 19
SHE Perspective from Specification (6) NV-Memory carries MASTER_ECU_KEY Set up by OEM (owner) Enables change of other keys BOOT_MAC_KEY Enables particular boot request and thus establishing secure boot BOOT_MAC Authentication of boot code KEY_<n> Dedicated key storage for arbitrary functions 3 10 keys PRNG_SEED Starting value for pseudo random number generator RAM ROM Cryptography NV-Memory Irreversible Write Protection of keys in NV-memory Any key in NV-memory area shall not be changeable throughout life time of the device once write-protection was applied by user 20
SHE Perspective from Specification (6) NV-Memory carries MASTER_ECU_KEY Set up by OEM (owner) Enables change of other keys BOOT_MAC_KEY Enables particular boot request and thus establishing secure boot BOOT_MAC Authentication of boot code KEY_<n> Dedicated key storage for arbitrary functions 3 10 keys PRNG_SEED Starting value for pseudo random number generator RAM ROM Cryptography Irreversible Write Protection of keys in NV-memory Any key in NV-memory area shall not be changeable throughout life time of the device once write-protection was applied by user 21
SHE - Performance Requirements Start-up / Secure Boot is Critical Path All SHE-equipped nodes have to perform secure boot process Availability to be established before 1 sec elapses MAC latency according SHE < 2 µsec for a 128-bit block MAC = Message Authentication Code Authentication of Flash contents at power up << 100 msec for 1 MByte required Exact requirement depends on Oscillator start-up times Network start-up, NM communication, MCU initializations 22
SHE Implementation SHE System SHE Integration SHE Implementation 23
SHE System Diagram Host System SHE EEFLASH SHECO SHE Firmware Public Secured NV_MEM IF Data IF Host Interface Command IF SHE Host Driver 24
SHE - System Integration (ATLAS-L/TITAN) MPU Sec. 32-bit AHB slave bus 64-bit AHB slave bus Sec. 32-bit AHB master bus 32-bit AHB slave bus Debug / Trace Cortex R4 CPU Boot ROM Cache Interrupt Controller Timing Protection EEFlash MPU MPU Ethernet MediaLB CRC I2S DMA TCFlash SRAM SHE MPU USB MPU System Controller Watchdog RTC External Interrupt Retention RAM Timers Timers Timers Timers GPIO 64-bit Multilayer AXI bus System RAM Quad-SPI Peripheral bus 3 Peripheral Protection Peripheral bus 1 Peripheral bus 0 Peripherals Peripherals Peripherals Peripherals Peripheral Peripheral Bus Peripheral Bridge Bus Bridge Bus Bridge Peripherals Peripherals Peripherals Peripherals MPU PPU Subsystem Content is protected Contains security config Bus master Bus slave 25
SHE Implementation 64-bit AHB bus Flash security 32-bit AHB bus 32-bit D bus SHE TRNG I bus SHECO HW barrier NV_MEM_MASTER AES-128 FR60 CPU ROM EEFLASH En-/decode CMAC Miyaguchi-Preneel AHB D RAM Cycle counter Public Sectors (6 x 8 K) Secured Sectors (2 x 8 K) PRNG Tx/Rx FIFOs Register I/F AXI Master PPU protection Data I/F Command/Data I/F Host Interface Bus master Bus slave MPU Host AXI bus Host AHB bus 26
SHE - Secured Key Storage (1) EEFLASH SECRET_KEY UID MASTER_ECU_KEY EMPTY EMPTY EMPTY FLAGS FLAGS FLAGS COUNTER BOOT_MAC_KEY EMPTY FLAGS COUNTER BOOT_MAC EMPTY FLAGS COUNTER KEY_<n> EMPTY FLAGS COUNTER RAM PRNG_KEY PRNG_STATE FLAGS FLAGS Common features 32 byte large key slots Access only by SHECO CPU NV memory Empty flag to distinguish between erased keys and keys written to 0xFF Flags and 28bit counters are stored in the same slot as the key SECRET_KEY and UID slots are write protected before device delivery No PRNG_SEED storage needed since on-chip TRNG is implemented RAM PRNG_KEY is calculated from SECRET_KEY during CMD_INIT_RNG command and stored in RAM slot RAM_KEY FLAGS 27
SHE - Secured Key Storage (2) Empty Write-protection Secure boot failure Debugger activation Wildcard UID Key usage Plain key Flags to be used for keys SECRET_KEY F 1 T 2 3 3 UID F 1 T 2 MASTER_ECU_KEY 4 BOOT_MAC_KEY 4 BOOT_MAC 4 KEY_<n> 4 PRNG_KEY 5 PRNG_STATE 5 RAM_KEY 5 used F used, always false T used, always true 1 Empty flags for SECRET_KEY and UID are set after the keys have been written (by Fujitsu) 2 Write-protection flags for SECRET_KEY and UID are set after the keys have been written (by Fujitsu) 3 SECRET_KEY inherits its protection flags from MASTER_ECU_KEY 4 The initial value after production will be TRUE 5 The initial value after power-up/hw-reset will be TRUE 28
SHE Software (Firmware) SHE firmware Implements SHE control logic + EEPROM emulation for key storage Is ROM based (no modification possible!) No debugging possible Entirely developed by Fujitsu Secure Boot Extension of FCR4 Boot-ROM for Secure Boot Validation of boot loader with support of SHE and DMA Block length configured by of SHE_BL_SIZE (SHE parameter) SHE evaluates the status via valid BOOT_MAC_KEY 29
SHE Software (AUTOSAR Driver) AUTOSAR driver V4.xx Implements SHE user accessible functions Handles hardware Interaction E.g I/F error handling Host driver for SHE will become a Fujitsu product 30
Outlook Cryptography becomes general trend for embedded systems Majority of ECU/MCU will have to support en-/decryption Data security will become mandatory feature for automotive applications Scaled between low-cost solutions like SHE for many ECUs and High protection requirements for a subset of ECUs SHE will be on the road in 2014 31
Thank you for your attention 32
33