Security Concepts for Ethernet based E/E-Architectures Author: Jan Holle (ESCRYPT GmbH) & Timo Lothspeich (Robert Bosch GmbH) 2016 IEEE-SA Ethernet & IP @ Automotive Technology Day, 2016-09-21, Paris
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
[email protected]
ESCRYPT - Embedded Security ESCRYPT Company Profile
ESCRYPT GmbH Foundation: Shareholder: Headquarters: Employees: Management:
2004 100 % ETAS GmbH Bochum 100 security experts world-wide Martin Ridder, Dr. Thomas Wollinger
Portfolio ESCRYPT provides a variety of products and services suited to protect devices and applications, to secure the back-end infrastructure, and to protect business models. ESCRYPT's products are applicable to all industries with a need for embedded security.
Security consulting and services Security products Tailored security solutions Supporting infrastructure
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
2
[email protected]
Security Concepts for Ethernet based E/E-Architectures Agenda
Introduction and Motivation • Why does automotive security matters? • Holistic approach to Automotive Security Security Challenges of Ethernet based E/E-Architectures • State-of-the-Art concerning security in current/upcoming E/E-Architectures • Selected security challenges and characteristics w.r.t. the introduction of Ethernet • Evaluation of currently available security mechanisms/protocols (selection) Security Concept for Ethernet based E/E-Architectures • E/E-Architecture • Secure Communication • Security Components Conclusion & Outlook Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
3
[email protected]
Introduction and Motivation Why does automotive security matters?
23th July 2015: First security-related recall campaign
vulnerability could result in unauthorized remote modification and control of vehicle systems […]”
Some more recent examples:
1.4 Mio potentially affected vehicles Defect: “[…] A successful exploit of this security
2015: Demonstrated attacks utilizing aftermarket OBD dongles connected to cellular networks permitting to remotely send arbitrary CAN-Messages 2016: Extension of publication which lead to the mentioned recall, describing how to circumvent limitations w.r.t. physical control of the vehicle
Source: http://www.wired.com
Source: https://www-odi.nhtsa.dot.gov
Automotive Security is on the political agenda
Automotive Security bill introduced by Senators Markey and Blumenthal
Source: https://www.congress.gov
“Security and Privacy in Your Car Act of 2015’’ or the ‘‘SPY Car Act of 2015’’
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
4
[email protected]
Introduction and Motivation Holistic approach to Automotive Security
Secure ECU Secure In-Vehicle Communication Secure E/E-Architecture Secure connected vehicle Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
5
[email protected]
Security Challenges of Ethernet based E/E-Architectures State-of-the-Art concerning security in current/upcoming E/E-Architectures
CAN communication flow control by central gateway (CGW)
Secure On-Board communication
Specified in AUTOSAR 4.2.1 Required by OEMs world-wide
Protected Diagnosis
Forward only relevant (whitelisting) CAN messages from one CAN bus to another Separation of CAN traffic based on different automotive domains, e.g. between: Components with remote interfaces Safety-relevant components
Improved Challenge-Response
Firewalls in connected ECUs
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
6
[email protected]
Security Challenges of Ethernet based E/E-Architectures Selected security challenges and characteristics w.r.t. the introduction of Ethernet
Highly increased data rate and payload
Much broader variance of the protocol landscape
Adding new dimension of complexity to automotive communication systems
Transition to switch-based automotive networks
Influencing amount and type of communication filters as well as number of filters to be applied per message
Introduction of TCP with a state-based communication flow
Influencing the required performance for security mechanisms (e.g. filtering or verification of authenticity / integrity)
Overall vehicle security becomes depending on dedicated HW (Switches) w/ fixed functionality
Remote connectivity of vehicles
Contradicting requirements with respect to end-to-end security and filtering mechanisms (e.g. Deep packet inspection (DPI)) More complex and comprehensive key management
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
7
[email protected]
Security Challenges of Ethernet based E/E-Architectures Evaluation of currently available security mechanisms/protocols (selection) I/III
IEEE 802.1X: Port-based Network Access Control (PNAC)
Encapsulation of the Extensible Authentication Protocol (EAP) Network access control based on node authentication Various implementation variants Only message format is defined Integration of symmetric as well as asymmetric cryptography possible Potentially availability issues and additional delay until ready for communication Can’t prevent (without additional secure communication mechanism) Man-in-the Middle attacks
Highly flexible security mechanism with a good chance for application in future E/E-Architectures
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
8
[email protected]
Security Challenges of Ethernet based E/E-Architectures Evaluation of currently available security mechanisms/protocols (selection) II/III
IEEE 802.1AE: Media Access Control Security (MACsec)
Protects communication between trusted components of the network infrastructure Insertion of a security tag in frame header Authentication (and optional encryption) based on symmetric cryptography (default: AES in Galois/Counter mode) Key management and secure communication establishment relies on integration of MACsec Key Agreement protocol defined in IEEE 802.1X (see previous slide) Needs to be supported by Switch (hardly available in automotive)
Frame protection between trusted nodes on a hop-by-hop basis
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
9
[email protected]
Security Challenges of Ethernet based E/E-Architectures Evaluation of currently available security mechanisms/protocols (selection) III/III
IEEE 1722: Audio/Video Bridging (AVB) Transport Protocol (P1722_rev1-D16)
Dedicated subtype formats for secure transmission of AVP messages Draft includes mechanisms based on AES-128/256 to provide confidentiality and integrity for AVB streams in time-constraint use-cases Application of Synthetic Initialization Vector (SIV) authenticated encryption Draft includes mechanisms based on Elliptic curve cryptography as specified in IEEE 1363a Digital signatures or encryption mechanisms ensure security E.g., for secure key management and device authorization and authentication
Stream protection between trusted stations within an AVB domain
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
10
[email protected]
Security Concept for Ethernet based E/E-Architectures E/E-Architecture
Defense in depth approach is needed
Multiple Layers of Defense, i.e. single point of protection is insufficient Multiple (critical) networks need mutual isolation Local attacker always needs to be considered
VLAN A Vehicle and IP subnet
VLAN B DMZ and IP subnet
Basic Concept: Partitioning and Secure Communication
Establish/preserve different communication domains (similar to CAN) based on VLANs
Internal Firewall
Consider issues due to multiple VLANs per port, i.e. enhanced security needs for ECUs
Use firewall(s) to enforce communication flow (similar as CGWs for CAN today)
Do not solely rely on initially implemented protection mechanisms
Detect potential attacks in the field (Intrusion Detection Systems - IDS) Prevent/stop ongoing attacks in the field (Intrusion Prevention System – IPS)
E.g. applying Software over the Air updates
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
11
[email protected]
Security Concept for Ethernet based E/E-Architectures Secure Communication
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
12
[email protected]
Security Concept for Ethernet based E/E-Architectures Security Components
CAN vs. Ethernet Routing/Firewall (simplified)
Bus Separation ~ VLANs (Enforced by Switch, be careful w.r.t. tagged VLANs)
CAN Routing (CAN-ID and Source-Bus) ~ IP-Routing (IP-Routing according to source and destination addresses, OSI 3)
CAN-ID Filter ~ Packet Filter (Filter mechanisms incl. Port, OSI 3+4)
CAN Payload Filter ~ Deep Packet Inspection
State aware filtering in CAN ~ Stateful packet filtering
Packet rate filtering ~ Ingress/Egress filtering in Ethernet ~ I.a. QoS on higher layers
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
13
[email protected]
Conclusion & Outlook
Automotive Ethernet will be an important enabler for future E/E-Architectures
Implementation of necessary software components:
Provides enhanced performance, flexibility and scalability Chance to reuse well-established classical IT security mechanisms Smart combination of available mechanisms should provide a sufficiently robust security concept
Efficient protocol implementations Firewalls, IDS/IPS
Usage of hardware acceleration Key management concepts Highly networked vehicles deserve a customized overall security concept
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
14
[email protected]
ESCRYPT - Embedded Security Service Wherever It Is Needed
Europa Germany: UK: Sweden:
Berlin, Bochum, Munich, Stuttgart, Wolfsburg York Lund
Asia China: Japan: Korea:
Shanghai Yokohama Seoul
America USA: Canada:
Ann Arbor Waterloo
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
9/21/2016
15
[email protected]
ESCRYPT - Embedded Security Headquarters
Lise-Meitner-Allee 4 44801 Bochum Germany
Phone: +49 234 43870-200 Fax: +49 234 43870-211
[email protected] www.escrypt.com
Public | ETAS-PSC/ECE4 | Jan Holle | © ESCRYPT 2016. All rights reserved. Ident: 00TE047 | Version: 01 | State: released | If printed, this document is an uncontrolled copy.
[email protected]