The automotive industry is undergoing a transformation, with an increasing number of new features available to customers, moving towards the goal of autonomous vehicles. These features contribute to conditional automation of steering, acceleration, and braking. Simultaneously, convenience and service features are accessible via touch screens or voice commands. However, with the development of intelligence and connectivity, vehicle security has become a major point of concern. Vehicle safety is tightly associated with cybersecurity. Guaranteeing the performance and safety of automotive parts can be achieved by implementing various cryptographic authentication options. This article will introduce how automotive parts pairing ensures vehicle security and the automotive parts pairing solutions introduced by ADI.
Reliable authentication of vital automotive components through cryptographic mutual authentication schemes enabled by pairing
Today's cars possess increasingly smart capabilities, enabling them to perform more tasks autonomously, from automatically switching on high beams to parking themselves, detecting blind spots, and pre-emptive braking to avoid collisions. Making these capabilities possible are Electronic Control Units (ECUs) that connect to the electronics of individual car parts. These electronics support items such as Advanced Driver Assistance Systems (ADAS), power management, Electric Vehicle (EV) powertrains, infotainment, LED lighting, body electronics, mobile connectivity, and security, to name a few. Many automotive parts require strict adherence to Original Equipment Manufacturer (OEM) specifications to guarantee performance and safe operation. Cryptographic mutual authentication schemes enabled by pairing can enable reliable authentication of vital car parts, which will be key to helping meet the ISO 21434 and UNECE WP.29 cybersecurity regulation requirements that enforce a "secure by design" paradigm.
Let us first define what is meant by "pairing". Pairing is a cryptographic authentication and association between different vehicle subsystems that enables mutual trust. For automotive edge devices, including automotive sensors and actuators, trust encompasses several aspects: car parts must be OEM-approved, provable, and have a securely controlled life cycle (manufacturing, installation, calibration, refurbishing, decommissioning, etc.).
The first and foremost benefit of "pairing" is to provide a cryptographically strong identification and authentication of car parts. By securely tying a specific car part to a specific vehicle, manufacturers can ensure that only authorized parts are used in their vehicles. This not only improves safety but also helps prevent fraud, theft, and counterfeiting. Risks are mitigated through this strong authentication scheme since any replacement part must now be authentic and valid, eliminating counterfeit or stolen parts.
The second benefit of "pairing" is the ability to store and attest to the life cycle of a car part. This includes the part's calibration and settings, life cycle state (manufacturing steps, maintenance steps, mounting and transferring to another car, configuring/calibrating, decommissioning, etc.), the associated car chassis identifier, and other relevant traceability information. Cryptographic methods using digital signatures bring formal proof of the full car part's state. The car's ECUs can use this additional information to manage otherwise authentic parts, like rejecting an OEM ADAS camera improperly calibrated, decommissioned, or voluntarily mounted into another car without proper authorization. This data can also be encrypted for added security, allowing manufacturers to ensure that only authorized parties can access it. This attestation of a part's life cycle reduces the risk of using invalid parts even though they are authentic, provided that the ECU is also secure enough so that no bypass of the car part verification is possible.
Being able to trust secure life cycle data is vital to trust. Tampering with life cycle information could allow someone to refurbish otherwise worn-out or malfunctioning parts that would cause safety risks or inadvertently use stolen parts. By using cryptographic-based access control, manufacturers can ensure that only authorized parties can modify the car part's life cycle information memory and other information used to bind the car part to an ECU. An approved OEM dealer can then replace a car part and associate the part with the car chassis, run an approved calibration, etc.
There are multiple scenarios where a car part should cease functioning normally if it is not attached to a legitimate vehicle. This can occur when a part is stolen. Some devices need a proper installation process to operate safely. Being moved to another vehicle without following strict maintenance rules can be dangerous. The issue can also arise when a man-in-the-middle attack occurs, where the vehicle subsystem is not communicating directly with a legitimate ECU but with an intermediate rogue device. Cryptographic activation of a car part can solve those issues.
Initial vehicle part authentication to exclude counterfeit products
The benefits of pairing security mechanisms rely on a challenge-response authentication scheme that requires the installation of various "credentials": certificates, public-private key pairs, static public keys, shared secret keys, etc. Various options provide different levels of security and flexibility, allowing manufacturers to choose the best option for their specific needs. Multiple options can be combined: in general, an initial vehicle part authentication is required to exclude counterfeits, but going beyond, additional steps including installation, configuration, and eventually, a specific vehicle-to-part association must be performed.
Automotive parts and ECUs previously paired using one of the explained methods, such as certificate-based, static public key, shared secret key, or key establishment, now provide much stronger protection to the car's safety. Counterfeits, fraud, and attacks are thwarted by being able to mutually authenticate the identity and life cycle state of the car part or the ECU. If any of the controlled assets cannot be trusted because it fails the verification process, then the ECU or the car part can cease to operate and keep the system in a safe state, for example, preventing the car from running or displaying alerts on the dashboard.
Reverse authentication schemes allow car parts to cease functioning when they are not attached to a legitimate ECU (because of a man-in-the-middle attack or an uncontrolled swapping of the part into another vehicle). Such schemes are also used to control write access to the car part's internal memory to preserve life cycle and configuration data from unwanted modification.
Guaranteed car part performance and safe operation can be better achieved by implementing the various pairing options discussed. These options can be best achieved by using devices such as ADI's DS28C40 along with the usage and knowledge of ECDSA and HMAC-SHA cryptographic schemes.
Automotive I²C authenticator supporting various pairing schemes
The DS28C40 Automotive I²C Authenticator IC from ADI can support various pairing schemes and the traceability of the life cycle for the automotive edge. The DS28C40 can be installed into a car part to establish pairing. The device is a secure authenticator that provides a core set of cryptographic tools. These tools provide symmetric (SHA-256-based) and asymmetric (ECC-P256-based) security functions.
In addition, the device contains an I²C interface, a True Random Number Generator (TRNG), 6kb of One-Time Programmable (OTP) memory for user data, keys, and certifications, one configurable General-Purpose Input/Output (GPIO), and a unique 64-bit ROM identification number (ROMID).
The OTP memory can only set bits from 1 to 0 in 32-byte memory pages. Protection settings exist for blocks of memory pages. With an OTP device, write operations and protection settings produce irreversible results. Protection settings include write/read protect, authenticated write protect for ECDSA/HMAC, and more complex encrypted protections. The GPIO pin supports authenticated configurability. Lastly, the device fits in a 10-Pin TDFN (3mm x 3mm) package with an operation range from -40°C to 125°C.
The ECC public/private key capabilities of the DS28C40 operate from the NIST-defined P-256 curve and include FIPS 186-4-compliant ECDSA signature generation and verification to support a bidirectional asymmetric key authentication model. The SHA-256 secret-key capabilities are compliant with FIPS 180 and are flexibly used either in conjunction with ECDSA operations or independently for multiple HMAC functions. The GPIO pin can be operated under command control and includes configurability supporting authenticated and nonauthenticated operation, including an ECDSA-based crypto-robust mode to support secure boot of a host processor.
The DeepCover® embedded security solution of the DS28C40 cloaks sensitive data under multiple layers of advanced security to provide the most secure key storage possible. To protect against device-level security attacks, invasive and noninvasive countermeasures are implemented, including active die shield, encrypted storage of keys, and algorithmic methods.
ADI also offers the DS28C40 evaluation system (EV system), which provides the hardware and software necessary to exercise the features of the DS28C40. The EV system consists of five DS28C40 devices in a 10-pin TDFN package, a DS9121ATB+ evaluation TDFN socket board, and a DS9481P-300# USB-to-I²C/1-Wire® adapter. The evaluation software runs under Windows operating systems (both 64-bit and 32-bit versions). It provides a handy user interface to exercise the features of the DS28C40.
DeepCover automotive 1-Wire authenticator and secure coprocessor ensuring vehicle safety and reliability
In addition to the DS28C40, ADI also offers the DS28E40, a DeepCover Automotive 1-Wire Authenticator that ensures vehicle safety and reliability by authenticating automotive components. Like the DS28C40, the DS28E40 provides a core set of cryptographic tools, integrates a FIPS/NIST True Random Number Generator (TRNG), 6Kb of One-Time Programmable (OTP) memory, a configurable General-Purpose Input/Output (GPIO), a unique 64-bit ROM identification number (ROM ID), GPIO-authenticated operation, and the DeepCover embedded security solution.
The DS28E40EVKIT is the evaluation kit for the DS28E40, providing the hardware and software necessary to evaluate its features. The EV system consists of five DS28E40ATB/VY+ devices in a 10-pin TDFN package, a DS9121ATB+ evaluation TDFN socket board, and a DS9481P-300# USB-to-I²C/1-Wire® adapter. The evaluation software runs under Windows operating systems (both 64-bit and 32-bit versions). It provides a convenient user interface to easily exercise the features of the DS28E40.
The DS9481P-300 is a USB-to-1-Wire®/I²C adapter for easy PC connectivity to 1-Wire and I²C devices. The adapter provides a 6-pin female connector with the signals to communicate with 1-Wire and I²C devices that support a 3.3V data I/O level. The DS9481P-300 driver runs on Windows operating systems (both 64-bit and 32-bit versions). The virtualized COM port provides a convenient communication interface.
ADI's DS2478 is a DeepCover Automotive Secure Coprocessor that ensures vehicle safety and reliability by authenticating automotive components. The DS2478 is a DeepCover® secure ECDSA and HMAC SHA-256 coprocessor companion to the DS28E40 or DS28C40. The coprocessor can compute any required HMACs or ECDSA signatures to perform any operation on the DS28E40 or DS28C40.
The DS2478 similarly supports core cryptographic tools, ECC public/private key capabilities, and a GPIO pin that can be operated under command control, including configurability supporting authenticated and nonauthenticated operation, including an ECDSA-based crypto-robust mode to support secure boot of a host processor. This secure-boot method can also be used to enable the coprocessor functions.
The DS2478EVKIT is the evaluation kit for the DS2478, providing the hardware and software necessary to use its features. The EV system consists of five DS2478/DS28E40/DS28C40 devices in a 10-pin TDFN package, two DS9121ATB+ TDFN socket boards, and a DS9481P-300# USB-to-I²C/1-Wire® adapter. The evaluation software runs under Windows operating systems (both 64-bit and 32-bit versions). It provides an easy-to-use user interface to use the features of the DS2478 in conjunction with the DS28E40 or DS28C40.
Conclusion
As the automotive industry moves towards intelligence and electrification, vehicle security no longer relies solely on the quality of individual components but on the synergistic operation and precise pairing of the entire system. Through comprehensive component pairing solutions, it is possible to ensure that components come from authorized manufacturers, guaranteeing compatibility and stability between parts, reducing potential failure risks, and enhancing the overall driving experience and safety level. ADI's automotive parts pairing solutions will help manufacturers and maintenance units verify the source of components. The intelligent pairing of components will become the core key to ensuring vehicle security and performance.