Tuesday, April 18, 2017

All Security is Personal



Bill Boldt
Business Development Manager, Security
BlackBerry

 To make any digital product secure it must have its own personality, which is crypto-speak for a unique digital identity.  This digital identity comes in the form of a cryptographic key, which is a binary number of a specified length that is assigned to and stored in a device, such as a memory or processor chip. In security operations, keys get used by mathematical algorithms to enable the three pillars of security; namely, confidentiality, data integrity, and authentication.  Crypto keys are considered valuable digital assets because a company’s brand equity is increasingly tied to the security of their products.  Product security is directly proportional to how securely the crypto keys are generated, transmitted, injected, and stored in devices. Such a process of key management and injection is called personalization (and it is also called provisioning).  The point here is that the factories where personalization happens must be made secure if the key--and the products and processes that subsequently use them--are to be secure. BlackBerry’s Certicom subsidiary offers a way to make factories secure with a product called the Asset Management System (AMS). 


AMS deploys secure equipment to remote factories to manage and inject cryptographic keys such that the keys (and thus the products they protect) remain secure from tampering, counterfeiting, and cloning.  Without AMS there would be multiple attack points in the supply chain allowing grey marketers access to valuable IP and products, particularly at various subcontractor sites. Vulnerabilities can be introduced at several points in the manufacturing flow of a semiconductor chip, including at wafer test, bonding and packaging, and chip testing. Personalization prevents subcontractors from overbuilding, copying, or cloning devices, designs, or firmware. Personalization via AMS ameliorates those vulnerabilities and thus enhances product trust and brand equity.

Certicom AMS makes it possible to add Digital Rights Management (DRM) and Conditional Access System (CAS) device personalization in a manner that  protects DRM and CAS keys at vulnerable (i.e. attackable) manufacturing stages.  Using AMS minimizes the risk from liquidated damages clauses contained in High Definition Content Protection (HDCP), Content Protection for Recordable Media (CPRM), Digital Transmission Content Protection (DTCP), Advanced Access Content System (AACS), and similar agreements. Certicom is the leading commercial solution for HDCP-enabled chip manufacturing.

Automotive Security Evolution

One of the most complex global supply chains is that of the automotive industry and all security for cars begins with securing this supply chain.  With connectivity and autonomous driving features gaining increasing traction, the main features of cars are literally being defined by software, and that software must be safe and trusted.  Therefore, it is essential to protect software in every module and system in a car— starting with secure personalization.  

Once a module is securely personalized it can be trusted to run cryptographic algorithms to provide the three pillars of security.  Arguably, the most important of the pillars is authentication which proves that the signals are being received from an authentic sender.  Authentication can be symmetric, asymmetric, or a combination of the two. 

Cryptographic security in cars is in its infancy and evidence shows that it will likely evolve over time, with symmetric authentication often being adopted initially, with asymmetric being added in later, especially as higher bandwidth buses are deployed such as Ethernet.   Symmetric authentication uses a shared secret key and is thus easier to implement, but there is a trade-off.  Shared keys must be distributed and stored beforehand.  In contrast, with asymmetric authentication there is no need to distribute and store a shared secret key.  Using shared keys presents more attack points than with asymmetric authentication, so symmetric authentication is considered relatively less secure.  Asymmetric authentication uses Public Key Cryptography, which allows a public key to be transmitted in the clear and used to perform authentication via algorithms that can mathematically prove that the sender is authentic.  Asymmetric authentication works because the sender’s private key (which is securely stored, never shared, and only signs messages) cannot be derived from knowing the public key. This discretion is made possible by the type of special mathematics and algorithms used to generate the private and public key pair that is used to sign and verify the message. 
  
With asymmetric authentication, a chain of trust between sensors, ECUs, gateways, domain/area controllers, and other nodes can be established.  That chain ultimately links back to a trusted device called a trust anchor. All nodes on the chain of trust authenticate the next node using sign-verify algorithms, so if the trust anchor is trusted, then all the nodes on the chain can also be trusted, without storing a pre-shared secret key.  This increases both security and manufacturing flexibility, which are two very important values for the automotive industry.

Both symmetric and asymmetric methods will require some type of personalization, and that must happen in a secure way at every step in the supply chain including at OEM factories, Tier 1 and Tier 2 suppliers, distributors, dealers, and aftermarket suppliers.


AMS is powerful because it assures visibility at every step in the supply chain (and is easy to implement).   

AMS enables device manufacturers and silicon foundries to:

1.     Improve the management and control of electronic serial numbers
2.     Securely inject cryptographic keys into devices
3.     Use keys and IDs for feature selection
4.     Fight cloning and counterfeiting
5.     Track yield data 

Security and control is gained by serializing (tagging) individual silicon chips with cryptographic identities.  Those tagged dice can be tracked throughout the production process as they pass across multiple outsourced contractors. AMS ensures all the touch points can be easily secured.



Secure appliances being deployed at remote sites enables visibility and control.

The diagram shows that the AMS Controller is secured in the operations headquarters. 

AMS Appliances operate in the outsourced manufacturing sites. AMS Appliances communicate with the local automated test equipment (ATE) in the production facilities. 

The AMS Agent runs inside the manufacturing test program installed in the ATEs at the manufacturing sites.






The Asset Control Core is an optional IP block built into an ASIC chip (or FPGA), which acts as a feature and key lockbox. Adding the Asset Control Core and provisioning it via the AMS system provides an extremely high level of end-to-end manufacturing and feature provisioning security.  AMS also works with a wide range of key storage methods beyond ACC, of course.

Using AMS provides many benefits to manufacturers across automotive, IoT, and other segments as noted in the chart. 




AMS anchors trust by guaranteeing that devices are secure at every step in the supply chain, and that is where end-to-end security starts.