EVITA

F2010-E-035SECUREAUTOMOTIVEON-BOARDELECTRONICSNETWORKARCHITECTURE1Apvrille,Ludovic,2ElKhayari,Rachid,2Henniger,Olaf*,3Roudier,Yves,3Schweppe,Hendrik,4Seudié,Hervé,5Weyl,Benjamin,6Wolf,Marko1TelecomParisTech,France,2FraunhoferInstituteforSecureInformationTechnology,Germany,3EURECOM,France,4RobertBoschGmbH,Germany,5BMWGroupResearchandTechnology,Germany,6escryptGmbH,GermanyKEYWORDS–automotiveon-boardnetwork;securityarchitecture;hardwaresecuritymodule,embeddedsystems,vehiclecommunicationsystemsABSTRACT–Thispaperintroduceshardwareandsoftwarecomponentsforsecureauto-motiveon-boardnetworksprovidingthebasisfortheprotectionofexternalvehiclecommuni-cation.ItisbasedonworkdonewithintheEuropeanresearchprojectEVITA().Itprovidesaframeworkthatcoverscross-layersecurity,targetingplatformintegrity,communicationchannels,accesscontrolandintrusiondetectionandmanagement.Wepresentamodularhardware/softwareco-design:Hardwaresecuritymodules(HSM)pro-videmeanstoprotecttheplatformintegrity,toensuretheintegrityandconfidentialityofkeymaterialandtoenhancecryptographicoperations,therebyprotectingcriticalassetsofthearchitecture.Inordertoprovidecost-effectivehardwaresolutions,threedifferentvariantsofHSMshavebeenspecified:ThefullHSMforprotectingexternalcommunicationinterfaces,themediumHSMforprotectingtheon-boardcommunicationbetweenelectroniccontrolunits(ECUs),andthelightHSMforprotectingtheon-boardcommunicationwithsensorsandactuators.Applicationspecificinterfacesareprovidedbythesoftwareframeworkthatinter-actswiththeHSMs.High-leveldesignconsiderations,suchasleastprivilegedesignandsepa-rationprincipleshavebeenfollowedthroughoutthework.Weprovideanoutlookondeploy-mentscenarios.MOTIVATIONAutomotiveapplicationsbasedonvehicle-to-vehicleandvehicle-to-infrastructure(V2X)communicationshavebeenidentifiedasameansfordecreasingthenumberoffataltrafficaccidentsinthefutureandforintelligenttrafficmanagement.However,maliciousattacksonembeddedITsystemsandnetworksimplementingthosefunctionalitiesandmaliciousen-croachmentsonmessagestransitingbetweenvehiclesandinfrastructure,suchassendingfakemessagesandspoofingoverthewirelessnetwork,mayhaveasevereimpact.Thus,theon-boardnetworkneedstoprovideappropriatesecuritymeasuresinordertoprotectagainstma-liciousmessages.Sensitivein-vehicledatamustbetrustableandprotectedfrommodification.Alistofpotentialattacksandrelatedsecurityrequirements(1)servedasstartingpointfordesigningthesecureon-boardarchitecture.Theattackshavebeenclassifiedaccordingtotheirrisklevelinordertochooseadequatelevelsofprotectionagainstthem.Wederivedin-carsecuritymechanismsoutofthesecurityrequirements(2).Securityfunctionsarepartitionedbetweensoftwareandhardwarewithcostandsecuritylevelsasmajorcriteria.Thesecurestorageofsecretkeystogetherwithsecureandtrustworthycommunicationamongin-carelectroniccomponentslaysthefoundationforsounddataexchangebetweenvehiclesorinfra-structureservices.Therefore,weplacethe“rootoftrust”inhardwaresecuritymodulesreal-izedasanon-chipextensiontoautomotiveECUs.Thisenablesthereliableenforcementofapplication-specificsecuritypropertiessuchasauthenticity,confidentiality,orfreshnessaswellasdependableaccesscontrol.Therestofthispaperisorganisedasfollows:AftergivinganoverviewofrelatedworkinthefieldofV2Xandon-boardcommunicationsandsummarizingthesecurityrequirementsfrom(1),wepresentoursecurityarchitecture.Thepaperconcludeswithadeploymentoverviewandasummaryandoutlook.RELATEDWORKThepastdecadehasseenatremendousgrowthinthevehicularcommunicationdomain,yetnocomprehensivesecurityarchitecturesolutionhasbeendefinedthatcoversallaspectsofon-boardcommunication(dataprotection,securecommunication,secureandtamperproofexecutionplatformforapplications).Ontheotherhand,severalprojects,namelyGST(3),C2C-CC(4),IEEEWave(5)andSeVeCOM(6)havebeenconcernedwithinter-vehicularcommunicationandhavecomeupwithsecurityarchitecturesforprotectingvehicle-to-vehicleandvehicle-to-infrastructurecommunications.Theseproposalsessentiallyaimatcommuni-cation-specificsecurityrequirementsinahost-basedsecurityarchitecturestyle,asattackersareassumedtobewithinanetworkwherenosecurityperimetercanbedefined(ad-hoccom-munication).Forinstance,(7)presentstheC2Ccommunicationconsortium’ssolutionintegratingpreviousapproaches(8)(15)(16)(17)forsecurevehicularcommunications.Theseproposalsconsiderthecarmostlyasasingleentity,communicatingwithothercarsusingsecureprotocols.Inparticular,thisarchitecturereliesonacomplexsecurityback-endinfrastructure(includingauthorities,notablyimplementingPKIs,e.g.,forpseudonymandidentitymanagement).Thisisnecessaryforprotectingtheidentityofacaryetmakingitpossibletomanageitsidentifierswhenrequired.However,nospecificexecutionplatformrequirementsareputforwardbytheseproposals,exceptfortheneedtoprotectnodeidentifiers:Allproposalsmentionthatdatasuchasvehicularregistrationandcryptographicmaterialshouldbestoredinatamper-resistantmanner.Unfortunately,thisrequirementisnotaccompaniedbyanyfurtheranalysisoftheparticularthreatstodataintegrityandauthenticationwithinthevehiclethatm