Scribd
Upload
148 views

Vector Webinar Security Manager

The webinar discusses challenges in testing security-protected vehicle networks and ECUs. It introduces the Security Manager tool from Vector which supports different security implementations and manages keys, certificates, and security across a vehicle's lifecycle to enable automated testing of secured networks and ECUs.

Uploaded by

vamsi chodisetti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
148 views

Vector Webinar Security Manager

The webinar discusses challenges in testing security-protected vehicle networks and ECUs. It introduces the Security Manager tool from Vector which supports different security implementations and manages keys, certificates, and security across a vehicle's lifecycle to enable automated testing of secured networks and ECUs.

Uploaded by

vamsi chodisetti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Testing of Security-Protected ECUs and Networks with the Security Manager

Webinar

V0.2 | 2021-10-22
Welcome to the Webinar
Testing of Security-Protected ECUs and Networks with the Security Manager

Automotive Cybersecurity Webinar Series


 Part 1: Automotive Cybersecurity: ISO 21434, CSMS and SUMS
> Date: 2021-10-13
> Recording

 Part 2: Fuzz Testing: How robust is your System under Test?


> Date: 2021-10-19
> Recording

 Part 3: Testing of Security-Protected ECUs and Networks With the Security Manager
> Date: 2021-10-26

 Part 4: Preventing Unauthorized Network Access With Automotive Firewalls


> Date: 2021-11-24
> Registration

Technical Notes
 Feedback and Communication
 Open and review the chat window to get all organizational messages of the hosts.
 Use the „Q&A“ window instead of the chat window for questions during the webinar.
Post your questions to „All Panellists“. Questions are answered online during and after the presentation.
 Slides and Presentation
Within 1-2 days after the webinar, you will receive a link to the slides and additional information

2
Agenda

Welcome to the Webinar


 Motivation
Challenges

Security Manager – the Vector answer

Secure On Board Communication (SecOC)


Secure Diagnostics – UDS 0x29
Summary
Questions & Answers

3
Motivation
Vehicle network architecture today

Many important external interfaces

Security
is
required !

Connected to Ethernet as new network technology


the outside-world

4
Motivation
Security protects Features and Business Models

 Security Goals:

Integrity Authenticity Confidentiality

Checking to ensure Trustworthy data Data is encrypted and


that information exchange between can only be read by
contents are senders and receivers authorized nodes.
complete and
unmodified.

 Replay protection: Freshness Mechanism prevents replay of valid pairs of data and authentication

 New challenges:

Simulation and testing of


Testing of security mechanism
secured ECUs and Networks

5
What about Tools?
Testing vehicles in the past

Any test tool could communicate with the ECU networks

Security:
Data Integrity
Seed & Key Testing network communication
Reading network data
Stimulating
Replay recorded data

6
What about Tools?
Testing vehicles today

Any test tool could communicate with the ECU networks

Security:
 Integrity
 Authentication Testing network communication
 Encryption Reading network data
 TLS Stimulating, Simulating and Testing
 SecOC Replay recorded data

7
What about Tools?
Testing vehicles today

Test tools must support security

?
?

Security:
 Integrity
 Authentication Testing network communication
 Encryption Reading network data
 TLS Stimulating, Simulating and Testing
 SecOC Replay recorded data

8
Security Mechanisms
Automotive Cyber Security in OSI Layers

Application Layer
 AUTOSAR SecOC
Authenticity + freshness for various bus systems/networks
UDS Service UDS Service
7 SecOC
0x29 0x27  UDS Service 0x29, Authentication
More sophisticated method of authentication and authorization of a
Diagnostics Tester towards an ECU
 UDS Service 0x27, Seed & Key
5 DTLS TLS
The legacy method of secure access of Diagnostics Tester towards an ECU

4 UDP TCP
 TLS
may apply all security goals on layer 5 over Ethernet, end to end

IPsec  DTLS
3 may apply all security goals on layer 5 over Ethernet, end to end
IPv4/v6
 IPsec
MACsec may apply all security goals on layer 3 over Ethernet, end to end
2 Ethernet MAC +VLAN
 MACsec
may apply security goals on layer 2, i.e. for one Ethernet link, done by
1 Ethernet PHY
hardware
AUTOSAR Automotive Open System Architecture
TLS Transport Layer Security
DTLS Datagramm Transport Layer Security
UDS Unified Diagnostic Services
SecOC Secure On-board Communication

9
Challenges
Diversity of security implementation, e.g. SecOC

Secured Onboard Communication OEM 1


 Time-based freshness
 CMAC
 Keys on server

OEM 2
 Trip-based freshness
 SipHash
 Keys in secured container

OEM 3
 Time-based freshness
 Challenge-Response
 CMAC
 Default key in development

10
Challenges
Management of different security implementations

 Accessing OEMs security data


 Keys / Key generation
 Certificates

OEM 1
 Managing different security algorithms
 CMAC
 Sip Hash

OEM 2
 Different freshness models
 Time-based
 Trip-based
 OEM specific variants OEM 3

 Security on different layers


 SecOC
 Diagnostics
 TLS

11
Challenges
Security in a vehicle's life cycle

Test tools have to manage security depending on the vehicle's life cycle.

Development Production After Sales

 Security  Active / Inactive  Active  Active


 Key  Default key  Key generation  Defined vehicle key
 Freshness  Flexible  Fixed, Initial value  Fixed, Any value
 Backend  Development  Productive  Productive
 Certificates  Full Access  Restricted  Restricted

12
Security Manager
Use Cases - Security Manager

Secured
SecOC Diagnostics

Cryptographic
Functions
TLS

IPsec Public Key


Infrastructure

MACsec* Secret
Management
* planned
13
Security Manager
Vector Security Manager concept

14
Security Manager
Security Configuration and Management

 Common configuration for all Vector tools


Security Source
Security Source Development
 OEM specific Security Add-On Security Add-On
Production
 Available as Plugin for the Security Manager OEM1
After Sales

 Implements specific security algorithms

Vector Security Manager


 Provides access to keys and certificates
on OEM specific infrastructure

 Provides Security Profiles for tool usage


> Multiple profiles within an Add-On are possible
> E.g.: test vehicle (non development keys, breadboard, sample ECU…)

15
Security Manager
Using Security - Tool Interface

 Use Case tool based interface: Encryption, Authentication…


Vector Security Manager
 Encapsulation of the secrets,
SecOC, Crypto
Tool client cannot export and use keys and certificates Key store
Freshness functions

 Low level crypto functions for test implementation Interface:


Encrypt, Decrypt, Verify, Sign,
Authenticate, Unlocking
 Key Store
 Contains keys and certificates
 Import of temporary keys and certificates from the tool Vector Tools CANoe CANape …

Interface
 Reusable Freshness Manager models:
 Counter / time stamp Network
 Trip Counter based
 OEM specific variants

16
Security Manager
Supported Tools

CANoe • SecOC
• Diagnostics
• Authentication
• Variant Coding
• Transport Layer Security (TLS)
• Simulation of Client and Server, CAPL API available
• TLS Observer using Master Secret (direct configuration,extracting special UDP
frame)
• DoIP over TLS
• IPSec
• IKEv2 support ( Certificate based peer authentication, Dead Peer Detection, IKE
Fragmentation and IKE Rekeying)
• Import of StrongSwan IPsec configurations
• Full control of Security Policy Database
CANape • Diagnostics
• Authentication
• Variant Coding
Indigo • Diagnostics
• Authentication
vFlash • Diagnostics
• Authentication

17
Secure On Board Communication (SecOC)
Basics – Cipher-based Message Authentication Code (CMAC)

 Bus systems: CAN, FlexRay and Ethernet


 Typical algorithm: CMAC/AES 128

 Input for algorithm:


 Data to be secured

 Secret Key
> Key must be known at sender and receiver side
> Key can be derived on demand if key generation
mechanism is known

 Local Freshness
> ECU has to be synced to the freshness used in the
network

 Result:
 The Message Authentication Code (MAC) is copied to the
Secured-I-PDU
 Both values (MAC, freshness) can be truncated for data
reduction
18
Secure On Board Communication (SecOC)
Basics – Cipher-based Message Authentication Code (CMAC)

Secured I PDU
 Mechanism is applied on Secured-I-PDUs from AR database
Payload Counter Signature
 Data and Authenticator in one secured PDU (Data Security PDU)
> Counter: position and length are configurable

Data PDU
 Data and Authenticator in separate PDUs Payload Counter
(Data + Cryptographic PDU)
> Counter: value must be identical in both messages
Cryptographic PDU

Signature Counter

AUTOSAR Explorer – Layout and attributes of AUTOSAR Secured–I-PDU

19
Secure On Board Communication (SecOC)
Concepts of Freshness

 Message counter-based freshness (MCBF)  Trip counter based freshness (TCBF)

ECU 1 ECU 2 ECU 1 ECU 2

trip counter reset counter message counter

 Time stamps  Hybrid system: time stamp & message counter

ECU 1 ECU 2 ECU 1 ECU 2

20
Secure On Board Communication (SecOC)
Basics - Freshness

Goal of Freshness:
Prevention of secured data replay

 The freshness creates a time limited validity of the data.

 Several concepts for Freshness distribution and resynchronization


 Master Slave Concept -> Freshness Master transmits cyclically a sync message.
 Challenge Response mechanism to request an authenticated freshness

 The AUTOSAR standard defines a freshness value


 The practical use is designed by each OEM

21
Secure On Board Communication (SecOC)
Demo – CANoe simulation with 2 nodes

 Automatic CMAC calculation before secured PDU transmission

 Automatic CMAC validation after secured PDU reception


 Overlay Icons in trace window
 CAPL callback

 Participation in Freshness mechanism


 Freshness master
> Transmission of sync messages
 Freshness slave
> Internal counting of freshness
> Evaluation of sync messages
> Use of local freshness for CMAC operations

 Fault injection with CAPL callback


 Access to all PDU data before transmission

22
Secure Diagnostics – UDS 0x29
Authenticity for diagnostic services

Tester

 Before authentication, data and diagnostic services are Service 1


restricted and locked
 Authentication unlocks specific subsets of data and
services
 Each service specifies a requirement to be unlocked
Tester Service 2
 Secret function (Seed & Key)
 Certificate (PKI certificate exchange)

An authenticated tester can only use unlocked services


Service m

23
Secure Diagnostics – UDS 0x29
Unified Diagnostic Services (UDS): Service 2916

 Service for diagnostic tester authentication


 Published in ISO 14229-1:2020

Authentication (2916)

Authentication with
Authentication with
PKI Certificate
Challenge-Response
Exchange

Asymmetric Asymmetric Symmetric


Cryptography Cryptography Cryptography

Introduced with “Note: AUTOSAR Dcm only implements the authentication via PKI
AUTOSAR 4.4.0 certificated exchange. Authentication with challenge-response
(ACR) is out of scope of AUTOSAR. If it is required it needs a full
custom implementation using existing Dcm callouts for custom
service processing.” Source: SWS_Dcm_01559 (CP R4.4.0)
24
Secure Diagnostics – UDS 0x29
Service 29: Authentication with PKI certificate exchange

ARP = Authentication Return Parameter


29 08 PKI = Public Key Infrastructure

ARP Description
02 Authentication with PKI
Certificate Exchange (APCE)
(Will be supported by DEXT and
AUTOSAR)
69 08 ARP
03 Authentication with Challenge-
Response (ACR) and asymmetric
cryptography
Tester ECU 04 Authentication with Challenge-
Response (ACR) and symmetric
cryptograph

25
Secure Diagnostics – UDS 0x29
Service 29: Authentication with PKI certificate exchange

 Tester sends its public key


29 01 00 Tester Certificate certificate to ECU
 ECU verifies that the certificate
is valid by checking its
signature
 ECU now has public key of
Public Key Certificate
tester‘s certificate
Public Key

 ECU has no proof of ownership
 Diagnostic Role
Tester  Unlocked Services ECU

 …

Signature

Private Key

26
Secure Diagnostics – UDS 0x29
Service 29: Authentication with PKI certificate exchange

 Tester sends its public key


29 01 00 Tester Certificate certificate to ECU
 ECU verifies that the certificate
is valid by checking its
signature
 ECU now has public key of
tester‘s certificate
69 01 11 ECU Challenge
 ECU has no proof of ownership

Tester ECU
 ECU sends challenge to tester

27
Secure Diagnostics – UDS 0x29
Service 29: Authentication with PKI certificate exchange

 Tester sends its public key


29 01 00 Tester Certificate certificate to ECU
 ECU verifies that the certificate
is valid by checking its
signature
 ECU now has public key of
tester‘s certificate
69 01 11 ECU Challenge
 ECU has no proof of ownership

Tester ECU
 ECU sends challenge to tester
 Tester computes a signature
using the certificate‘s private
29 03
Proof of Ownership key and the received challenge
Tester Certificate

28
Secure Diagnostics – UDS 0x29
Service 29: Authentication with PKI certificate exchange

 Tester sends its public key


29 01 00 Tester Certificate certificate to ECU
 ECU verifies that the certificate
is valid by checking its
signature
 ECU now has public key of
tester‘s certificate
69 01 11 ECU Challenge
 ECU has no proof of ownership

Tester ECU
 ECU sends challenge to tester
 Tester computes a signature
using the certificate‘s private
29 03
Proof of Ownership key and the received challenge
Tester Certificate
 ECU verifies signature with
public key of tester‘s certificate
 Tester has proven that it has
ownership of a certificate that
was signed by a higher level
69 03 12
certificate authority
29
Secure Diagnostics – UDS 0x29
Authentication with PKI certificate exchange and OEM backend

Diagnostic
http Certificate
Diagnostic
29 01 00 Certificate

69 01 11 ECU Challenge

OEM http ECU Challenge


Tester ECU
Backend Proof of Ownership
http Diagnostic Certificate

Proof of Ownership
29 03 Diagnostic Certificate

69 03 12

30
Secure Diagnostics – UDS 0x29
Demo – CANoe simulation with Tester and ECU

 Vector Security Manager implements complete sequence as a single


operation

 Triggering of authentication with CAPL function


 Testunit: testWaitForDiagAuthCompleted,
testWaitForDiagAuthGenericCompleted
 Simulation: diagStartAuth, diagStartAuthGeneric,
_Diag_AuthResult

 Certificate source
 File based in Security Manager
 Optional with OEM specific backend
> OEM Security Add-On implements the access and communication

31
Vector Academy
New Remote Training available…

 Do you want to know how the Security Manager works together with CANoe?

 How to easily secure the DoIP sessions with TLS?

 How SOME/IP can be secured with TLS, DTLS or IPsec?

 Visit our website for further information:


Security with CANoe.Ethernet and Security Manager | Vector Academy

32
Summary
Testing of Security-Protected ECUs and Networks with the Security Manager

 The Security Manager enables the Vector tools to deal with


Security Use cases with the goal:

Simulation and test despite security!

 The tool is delivered togehter with the Vector tools

 OEM Security Add-Ons provide the specific Security


implementation to the tools.

33
Questions & Answers
Questions about topic?

Please use the Q&A chat window


to ask you question

!
?
34
For more information about Vector
and our products please visit

www.vector.com

Author:
Markus Fischer
Vector Germany

35 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.2 | 2021-10-22

You might also like