Send Autograph Validated with airSlate SignNow

Send successor signature service

[Music] hey everybody it's ian cunningham from vector gb here i'm going to talk to you today today about certificate-based authentication in diagnostics and what's possible with uds and autozar right now so this is a relatively new topic hopefully really interesting for lots of you um i have a demo of this as well so this is the first of a little sequence of videos uh the second video will will be in the demo but before i did the demo i thought it'd be really interesting to make sure everyone actually understands what's possible in in this area so security um is a big topic certificate or based authentication is just part of of this big topic uh so a quick recap on on what's possible in security in autosar let's let's assume we're interested specifically in autosar for now so um what topics do we possibly have well we have in security things like secured onboard communication where we want to authenticate or encrypt messages that are used by our issues and their normal communication in this case we want to make sure that our issues are protected against replay attacks so somebody logs a set of transactions between an ecu and then tries to force a specific behavior in the system in the vehicle by replaying that sequence of messages or parts of that sequence of messages to an ecu we want to not allow that to happen it could be very bad um so we want to protect against these kind of scenarios and this brings the concept of freshness management into into our vehicle so how do we determine messages sufficiently fresh for us to say this is not being replayed this is a real request additionally we need to think about secret management so with security we start to think about topics like looking after secret keys or certificates in the case of diagnostics and how we support these in oem specific ways so different vehicle manufacturers have different thoughts on this so we need to support those and then of course secure diagnostics so how do we restrict access to functions or data that we may be able to trigger with these within our issues maybe even restrict the ecu's that people are able to interact with using diagnostics and of course restricting specific use cases so maybe the limit the ability to read data or restrict who is able to do reprogramming and for this last set of cases we have a new uds service unified diagnostic services uds so we have a new service in the standard which was published at the start of 2020 so this is iso 14229 part 1 introduces service 2 9 hex and this is a new service for diagnostic tester authentication it's split into a few different sections one of them deals with authentication with pki certificate exchange public key infrastructure and this relies on asymmetric cryptography this is introduced in autosar 4.4.0 the other things that are in the iso are presently defined as being out of scope of autos are so this text comes from the autosar diagnostic communication manager specification there's a specific note in there that says essentially autozar only deals with the apce case authentication with pki certificate exchange okay so let's think about what this looks like maybe if we compare it with security access and it's important to note that this is not a replacement for security access just because we have authentication doesn't mean that we don't necessarily have security access though so security access is going to stay around for some time to come because not all ecu's need the level of protection that authentication comes because authentication comes with a cost due to this part here so security access let's have a recap service to seven hex we have a concept of security level we do symmetric cryptography usually sometimes very simple sometimes we're just flipping bits we have a shared secret between the tester and the ecu and that is a transformation which is applied to a number uh to generate an answer so what happens is the issue generates a number sends it to the tester both the tester and the ecu apply the set of transformations or calculations to the number the tester sends it its result back to the ecu if that number matches what the ecu has calculated in parallel the ecu says you know my secret therefore i'm going to trust you so this uh doesn't have to be complicated and typically this is only applied um to a selection of things so maybe writing data to ecu's maybe doing software update um interacting with io these are the things that are protected it's yeah simple it's not really very secure necessarily because this algorithm could be very simple like reverse the bits um or flip the bits um to to generate a seed from a key and also within autosar there's only one security access state machine independent of how we're connected to the ecu so if we consider that i have two connections between this ecu and my tester so i have one which is can and one which is diagnostics on ip so deut i can authenticate on can or sorry i can do security access on can with this ecu and then i can switch to doip and i can do things that need security access because the ecu has been unlocked and that's it this maybe sounds like a good feature but it's not necessarily the case because we may not just have one tester i may have an on-board tester which is providing over-the-air functions so if this tester unlocks ecus for some reason to do things it means that if somebody comes along with another tesla plugs it into the j1962 connector they can get access to the ecu's with the security level that the onboard tester has applied so this is not a good feature uh it's a bit of a backdoor even you could think about so so authentication different service two nine hex versus two seven we have a concept of role rather than level we use pki certificates we have a concept that probably nearly everything is protected this is a more modern approach to security which is we protect everything and then we poke holes in the security to let people get access where we specifically want them to have access this is this is a white listing approach over here this is more like a blacklisting approach and a more modern approach is to apply white lists we have also rather than possibly very simple algorithms we have proper cryptographic authentication using certificates we'll look at what this means and importantly autosar if we use authentication gives us an authentication state machine per physical layer so what this means is that my onboard tester which maybe is connected using can to an ecu and is doing things like ecu if somebody also tries to connect via doip for your ethernet to that ecu and do things they don't get any rights according to what my on-board tester has done so i can be fully authenticated on board but any off-board tester is completely unauthenticated so each tester that connects has to explicitly authenticate with the ecu's in the vehicle to be able to do things so we don't have this back door that we kind of talked about when in the context of security access so certificates what does certificates mean well we have a something called the chain of trust uh we'll give a very quick overview of this the purpose of today is not to do lots of stuff on pki public infrastructure so please feel free to look up on the internet essentially what we have is we have a a chain of certificates now the root certificate we have no way to verify the signature of this and this means that root certificates are typically stored offline and what we actually see when we look at a certificate authority using requests to their infrastructure is an intermediate certificate so here we see an intermediate certificate this intermediate certificate is signed with the root certificate and we're then able to issue uh other certificates based on this intermediate certificate so this means that if something goes wrong and we need to revoke the certificate which we're using to to sign downstream certificates on the users it means that we are able to protect our root certificates because these if we lose these we're really lost we have no way to revoke these so we have a chain of trust we have a hierarchy and it means that we get a sequence of things so the intermediate certificate we can verify using its public key the signature of a downstream certificate that was signed with the private key and we have yeah this is a simplified view typically many you can right click on the padlock that you see in your web browser and you can look at the chain of trust you can see how many certificates there are between your browser the end user and the certificate authority there could be five or six even certificates in that in that chain so that's a very quick explanation what do we typically want to do well typically we kind of borrow the concept of of levels from um security access so we have a set a concept of role now once we've authenticated to a role we basically inherit the ability to do a load of stuff so if i authenticate as a supplier for example and my certificate identifies that it's giving me the the rights of being a supplier then i have a white list that gives me access to a load of different capabilities fantastic the list of things that anybody can do without authentication is quite restricted maybe only obd and authentication even maybe so with security uh with authentication rather than security access style security uh lots of securities in that sentence sorry it's you know security access is style security is good if you want coarse grained control we unlock a level and we get a set of capabilities with real security access so uds service to seven we have a shared secret a c key algorithm with authentication we have pki style security and this means that we're able to transfer other data than just the means of of of saying we have authenticated so what does this mean well it means that we can maybe just say well the authentication that we're doing is limited to a specific user or maybe to a specific use case or a specific vehicle a specific date because we have a validity range we can time out certificates it may be even that we really restrict things to a specific time or even a combination of everything so the user alex is permitted to perform key reprogramming on a specific vehicle on a specific date in a specific time slot so this is the kind of level of granularity that we can get to additionally on that certificate we have this additional content we can provide additional role additional things that are allowed to be done by the holder of the certificate beyond what they get through authentication so we authenticate and we get some rights but then additionally we can issue a temporary certificate that extends the capability to other things so what this means is we can have maybe a slot which is third party tester and it gets essentially no rights but we can generate certificates on the fly which allow people to do specific sets of things so back to our train of trust we have a very simplified view now we just have one upstream certificate and two downstream certificates so both of these certificates will have been signed with the public key of the upstream certificate sorry will have been signed with the private key of the upstream certificate and the upstream certificates public key is available which means that the uh certificate signatures can be verified how does this work when we put those certificates on a tester and an ecu so we connect up and using service 29 the tester is able to ask the issue what authentication method do you support so it's using service 29 hex we will either get service not supported which kind of tells us no authentication at all or we'll get an answer along the lines of i support apce fantastic so we support pki certificate exchange so what do we do next from the tester side we say well okay here's my certificate so we transfer the public key certificate which contains the testers public key and the signature for the certificate which is generated from the private key we do not send the private key the private key remains private it's a whole point but we we send this information to the test to the ecu the ecu is able to verify the certificate is overall valid by checking the signature based on the upstream public key and it has the the public key from the certificate what it doesn't know is that the tester actually owns this certificate okay so it doesn't know that this wasn't just robbed off the internet from somewhere so what the issue is able to do is say well okay prove that you really own that certificate that certificate contains a public key here's some data sign it with your private key i can then as the ecu verify the signature that you send back to me to understand that you really own the private key that relates to that certificate so the tester sends back a response the the signature data and the ecu is able to then verify that signature based on the the public key so this is this is pki certificate exchange it's similar to the kind of thing that you would see in tls on the internet so if you know about that you kind of understand this mechanism here um and yeah if we've done this successfully then the the test is known to have ownership of the certificate and we therefore authenticate the the tester at the ecu and we get a positive response back fantastic and we're able to show that it owns a certificate that was signed by a higher level certificate authority that we as an ecu trust we haven't transferred any information about the ecu we haven't transferred the private key the private key remains private all we've done is proved that we have access to the private key so this is how we can authenticate what's also possible well also possible is the ability to persist through session changes uh the security state so we have an explicit way to de-authenticate we can also do bi-directional authentication so i said just now it's a bit like tls this is really like tls so both people both parties will send certificates each way they'll both be a challenge and proof of ownership each way so we can make sure that we aren't being spied by a dummy ecu from a test from a tester perspective so we can protect the test the secrets we can even be much more advanced this is not really in the scope of the service but um we have the possibility that actually the tester doesn't carry a certificate at all the tester is just a gateway that provides a a relay point between an oem server and the ecu so what this means then is the authentication is done maybe with a user id and a password between the tester and the server so we can have accounts which we can give rights to and revoke and then effectively the server provides temporary certificate to the tester the challenge is sent by the ecu uh to the test that their tester sends a challenge onto the server and gets the response back and and so on so we we protect ourselves how do we support this in vector tools we have something called security manager so we need to deal with lots of different sources of security information it might be working with servers it might be certificates it could be a cloud infrastructure we need to talk with that's a lot of complexity for our vector tools what we do is we decouple the vector tool from this complexity um with the security manager we have a user interface that allows us to to say what security sources we want to make available um to vector tools and then there's a real-time component which allows the vector talks to actually connect to a specific source set of certificates that stored locally or to a a certificate server or whatever there's just just then a defined interface then and that's all we need to know is there's a defined interface here the security manager lets us say well for specific vector tool this is how it can connect we do not need to know any of the details of what's happening here at all from the vector perspective so the secrets the real secrets in the diagnostic process can really stay secret we don't need to know them but we can make our tools work with those secret things so that's an introduction to authentication in diagnostics please give your comments questions and i look forward to you joining me in the next video where we'll actually see a demonstration of all this stuff we've just talked about in action thank you very much