Global Sources
EE Times-India
Stay in touch with EE Times India
 
EE Times-India > Controls/MCUs
 
 
Controls/MCUs  

How new-gen MCUs handle automotive security

Posted: 05 Jan 2014     Print Version  Bookmark and Share

Keywords:Advanced Driver Assistant System  ADAS  microcontrollers  MCUs  MOST 

The HSM module can provide several cryptographic functions because it implements a crypto channel controller to manage a TRNG (True Random Number Generator) and an MPAES (Micro Processor Advanced Encryption Standard).

End-of-life protection
Once the device has been moved to the DLC "Failure Analysis" stage, some protection mechanisms must be disabled to allow analysis of any possible issues. At first, this configuration might seem to allow a way to break the security protection in place and permit a modification of the embedded firmware, thereby setting the device back to the DLC "In Field" stage in order to connect the device to the original system.

However, this scenario has been faced and solved using several protection countermeasures that are included inside the "End-of-Life Protection" mechanism, which can be resumed in a full CAN and FlexRay transmission break, E-fuse protection, and optionally running the BAF in an endless loop.

The E-fuse is a mechanism that leaves permanent evidence inside the device when a particular Flash Test Mode is enabled. In this way, because this operation is irreversible, it becames easy to detect the state of the device and, maintaining it in "Failure Analysis" permanently, the return to DCF in Field is made impossible.

The HSM block
The Hardware Security Module (HSM) block represents the most exhaustive answer to security requirements, anti-intrusion controls, and data encryption. These security features are made critical by the growing number of the infotainment devices inside the vehicle, such as those to control highway traffic events and provide crash and weather forecast information, among others.

The HSM module is an SoC embedded in an ASIC. It is composed of a 100MHz core, with dedicated local RAM and Code and Data Flash reserved, a crossbar with MPU, and interrupt controller. It has a HSM/HOST interface to exchange data and instruction with the other cores inside the MCU in a secure and autonomous manner, and a C3 module.

The HSM is designed to control the MCU functionalities, but also all the cryptographic features because it embeds an internal module C3 (Crypto Channel Controller), which integrates a True Random Number Generator and an MPAES block.

Beyond the secure boot and the debug interface access control, it's most important features are the cryptographic keys to generate random numbers and to implement all the encryption and decryption functions.

CAN, as previously mentioned, was not designed to be robust in terms of security because it's not able to assure transmission confidentiality and it transmits in broadcasting mode. It cannot ensure authenticity and integrity of the transmitted data. Cryptographic messages satisfy those needs over the transmission bus within the vehicle.

The use of the asymmetric and symmetric key algorithms grants confidentiality, integrity, and authenticity of the data transmitted, while the HASH functions, such as the Digital signature or the MAC (Message Authentication Code) provide a digital signature to authenticate a data sender or provide a CMAC (Cipher Message Authentication Code) to issue a secure boot.

All the encryption and decryption features, hardware-implemented, grant the needed bandwidth for the CAN communication without overloading the main CPU.

Finally secure
Some of the most sophisticated automotive devices that will be used in the next-generation vehicles are these new-generation MCUs, such as the SPC57EM80, the SPC574K72, and the SPC572L64 from STMicroelectronics.

We've provided a generic overview about the security hardware countermeasures embedded in the electronic device to block illegal manipulations and unauthorised intrusions from external and internal attackers, focusing on the implementation of this multi-layer architecture.

Those hardware protection mechanisms are able to grant a strong protection against illegal access to the sensible data inside the MCU, and the cryptographic features can be used successfully inside the CAN transmission bus of the car.

References
1. Olaf Henniger, Ludovic Apvrilley, Andreas Fuchs, Yves Roudier, Alastair Ruddle, Benjamin Weylk, "Security requirements for automotive on-board networks"
2. Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, "Experimental Security Analysis of a Modern Automobile"
3. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, "Comprehensive Experimental Analyses of Automotive Attack Surfaces"
4. Sebastian Bittl Fraunhofer, "Attack Potential and Efficient Security Enhancement of Automotive Bus Networks Using Short MACs with Rapid Key Change," ESK, 80686 Munich, Germany
5. C. Paar, J. Pelzl, "Understanding Cryptography," 2nd edn. Springer (2010)
6. M. Hiller, J. Bohm, X. Chen, K. Echtle, T. Eymann, A. Ferre, B. Hedenetz, E. Kelling, V. Lauer, M. Osella, T. Voss, D. van Wageningen, "Electronic architecture and system engineering for integrated safety systems – General architecture framework," Deliverable D0.2.4 of EASIS, 2004
7. Bogdanov, D. Carluccio, A. Weimerskirch, T. Wollinger, "Embedded Security Solutions for Automotive Applications," escrypt GmbH

About the author
Danilo Gaetano Ciancitto is application development senior engineer, working in the automotive electronics division at STMicroelectronics.


 First Page Previous Page 1 • 2 • 3 • 4 • 5



Comment on "How new-gen MCUs handle automotive s..."
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top