E-Book, Englisch, 228 Seiten, eBook
Wolf Security Engineering for Vehicular IT Systems
2009
ISBN: 978-3-8348-9581-3
Verlag: Vieweg & Teubner
Format: PDF
Kopierschutz: 1 - PDF Watermark
Improving the Trustworthiness and Dependability of Automotive IT Applications
E-Book, Englisch, 228 Seiten, eBook
ISBN: 978-3-8348-9581-3
Verlag: Vieweg & Teubner
Format: PDF
Kopierschutz: 1 - PDF Watermark
Marko Wolf provides a comprehensive overview of the emerging area of vehicular IT security. Having identified potential threats, attacks, and attackers for current and future vehicular IT applications, the author presents practical security measures to meet the identified security requirements efficiently and dependably.
Dr. Marko Wolf completed his doctoral thesis at the Ruhr University Bochum at the department of Embedded Security. He is now a senior security engineer at escrypt - Embedded Security GmbH, Munich.
Zielgruppe
Research
Autoren/Hrsg.
Weitere Infos & Material
1;Foreword;6
2;Preface;7
3;Table of Contents;11
4;List of Figures;15
5;List of Tables;17
6;List of Abbreviations;18
7;Part I The Preliminaries;21
7.1;1 Introduction;22
7.1.1;1.1 Hope for the Best, Prepare for the Worst;22
7.1.2;1.2 Outline;26
7.1.3;1.3 Summary of Research Contributions;28
7.2;2 RelatedWork;30
7.3;3 Brief Background in Security and Cryptography;32
7.3.1;3.1 Enforcing the Secrecy of Secrets;32
7.3.2;3.2 Symmetric-Key Cryptography;33
7.3.3;3.3 Asymmetric-Key Cryptography;38
7.3.4;3.4 Recommended Key Lengths;45
7.3.5;3.5 Hash Functions;46
7.3.6;3.6 Message Authentication Codes;48
7.3.7;3.7 Cryptographic Implementations;50
7.3.8;3.8 Trusted Computing Technology;54
7.3.9;3.9 Security Schemes in the Automotive Domain;59
7.3.10;3.10 Cryptanalysis;64
8;Part II The Threats;66
8.1;4 Security-Critical Vehicular Applications;67
8.1.1;4.1 Introduction;67
8.1.2;4.2 Theft Protection;67
8.1.3;4.3 Counterfeit and Intellectual Property Protection;71
8.1.4;4.4 Software Updates;72
8.1.5;4.5 After-Sale Applications;74
8.1.6;4.6 Legal Applications;76
8.1.7;4.7 Vehicular Communication;81
8.1.8;4.8 Protection of Safety-Critical Applications;89
8.1.9;4.9 Privacy Protection;91
8.2;5 Attackers and Attacks in the Automotive Domain;94
8.2.1;5.1 Attackers in the Automotive Domain;94
8.2.2;5.2 Attacks in the Automotive Domain;97
8.3;6 Security Analysis and Characteristical Constraints in the Automotive Domain;107
8.3.1;6.1 Security Objectives Analysis;107
8.3.2;6.2 Security Requirements Engineering;110
8.3.3;6.3 Characteristical Advantages;113
8.3.4;6.4 Characteristical Constraints;114
9;Part III The Protection;120
9.1;7 Vehicular Security Technologies;121
9.1.1;7.1 Physical Security;121
9.1.2;7.2 Security Modules;124
9.1.3;7.3 Vehicular Security Architectures;129
9.2;8 Vehicular Security Mechanisms;135
9.2.1;8.1 Why Proper Security Application is Hard;135
9.2.2;8.2 Secure Component Identification;136
9.2.3;8.3 Secure User Authentication;139
9.2.4;8.4 Software Protection;142
9.2.5;8.5 Secure Storage;160
9.2.6;8.6 Secure Communication;161
9.3;9 Organizational Security;180
9.3.1;9.1 The Safety of Secrets;180
9.3.2;9.2 Achieving Organizational Security in the Automotive Domain;182
9.3.3;9.3 Organizational Security Measures in a Vehicular Lifecycle;184
9.4;10 Conclusions;186
10;Bibliography;188
11;Index;215
The Preliminaries.- Related Work.- Brief Background in Security and Cryptography.- The Threats.- Security-Critical Vehicular Applications.- Attackers and Attacks in the Automotive Domain.- Security Analysis and Characteristical Constraints in the Automotive Domain.- The Protection.- Vehicular Security Technologies.- Vehicular Security Mechanisms.- Organizational Security.
7 Vehicular Security Technologies (S. 107-108)
This chapter provides an overview about general vehicular security .technologies such as physical security measures, vehicular security modules, and vehicular security architectures. These technologies serve as basis to implement identified security requirements using the security mechanisms described in the next chapter. Parts of this chapter are based on published research in [BEPW07, BEWW07, HSW06, SSW06].
7.1 Physical Security
In contrast to most other IT related attack scenarios, attackers in the automotive domain usually have full physical access to breach the security of a particular vehicular IT system. As described in detail in Section 5.2.2 about physical attacks, an internal attacker in the automotive domain can manipulate or replace almost every built-in component and can manipulate its actual physical environment and (physical) inputs. He further holds the respective attack target in his possession for as long as he likes, and may eventually even receive more samples for testing and practice. Hence, the attacker can undisturbedly mount almost any feasible attack without having to fear to be detected, backtracked, or locked out. Nevertheless, there exist several measures to make physical attacks at least more difficult, even though it is practically impossible to fend off a sufficiently motivated (and sufficiently funded) attacker completely.
Thus, a security-critical IT system cannot solely rely on its physical protection measures and hence has to ensure that the successful compromise of a single hardware component does not compromise the overall IT system. This means that the cost of compromising a single hardware component should generally outweigh the potential rewards (economic security). Physical security or tamper protection measures usually either aim to prevent any kind of disclosure and modification (tamper-resistance), or aim to at least enable a subsequent detection of potential disclosures or modifications by a regular and unpredictable examining control entity (tamper-evidence).
Physical security measures can be further distinguished into active (tamper-responsive) and passive (tamper-evident, tamper-resistant) protection measures. This results in the following three definitions. Being tamper-evident refers to a passive physical security characteristic, which provides detection whether a hardware component has been illicitly modified or compromised. Optionally, tamper-evidence provides moreover the detection of unsuccessful tampering attempts. However, tamperevidence itself cannot prevent any potential modifications or disclosures. Being tamper-resistant or tamper-proof refers to a passive physical security characteristic, which prevents an attacker from illicitly modifying or compromising a hardware component by passive, non-responsive physical protection measures.
Lastly, being tamper-responsive refers to an active physical security characteristic, which actively prevents an attacker from tampering a hardware component by triggering appropriate counteractive measures up to automatic self-destruction. Tamper-response, in turn, is based on tamper-detection measures, which have to detect an ongoing attack in order to trigger proper response measures. However, deploying physical security measures at the same time means that the maintainability of such a protected hardware component usually will become clearly limited. This holds, since it is normally impossible that a tamper-protection measure is able to distinguish between an authorized access and an unauthorized access.
