Bill
Boldt
Business Development Manager, Security
BlackBerry
AMS
deploys secure equipment to remote factories to manage and inject cryptographic keys such that the keys (and
thus the products they protect) remain secure from tampering, counterfeiting, and
cloning. Without AMS there would be multiple
attack points in the supply chain allowing grey marketers access to valuable IP
and products, particularly at various subcontractor sites. Vulnerabilities can
be introduced at several points in the manufacturing flow of a semiconductor
chip, including at wafer test, bonding and packaging, and chip testing.
Personalization prevents subcontractors from overbuilding, copying, or cloning
devices, designs, or firmware. Personalization via AMS ameliorates those
vulnerabilities and thus enhances product trust and brand equity.
Certicom
AMS makes it possible to add Digital Rights Management (DRM) and Conditional Access System (CAS) device personalization in a manner that protects DRM and CAS keys at vulnerable (i.e.
attackable) manufacturing stages. Using
AMS minimizes the risk from liquidated damages clauses contained in High
Definition Content Protection (HDCP), Content Protection for Recordable Media (CPRM), Digital Transmission Content Protection (DTCP), Advanced Access Content
System (AACS), and similar agreements. Certicom is the leading commercial
solution for HDCP-enabled chip manufacturing.
Automotive Security
Evolution
One of the most
complex global supply chains is that of the automotive industry and all
security for cars begins with securing this supply chain. With connectivity and autonomous driving
features gaining increasing traction, the main features of cars are literally being
defined by software, and that software must be safe and trusted. Therefore, it is essential to protect software
in every module and system in a car— starting with secure personalization.
Once a module is securely personalized it can
be trusted to run cryptographic algorithms to provide the three pillars of
security. Arguably, the most important
of the pillars is authentication which proves that the signals are being
received from an authentic sender. Authentication
can be symmetric, asymmetric, or a combination of the two.
Cryptographic
security in cars is in its infancy and evidence shows that it will likely evolve
over time, with symmetric authentication often being adopted initially, with asymmetric
being added in later, especially as higher bandwidth buses are deployed such as
Ethernet. Symmetric authentication uses
a shared secret key and is thus easier to implement, but there is a
trade-off. Shared keys must be distributed
and stored beforehand. In contrast, with
asymmetric authentication there is no need to distribute and store a shared secret
key. Using shared keys presents more
attack points than with asymmetric authentication, so symmetric authentication is
considered relatively less secure. Asymmetric
authentication uses Public Key Cryptography, which allows a public key to be
transmitted in the clear and used to perform authentication via algorithms that
can mathematically prove that the sender is authentic. Asymmetric authentication works because the
sender’s private key (which is securely stored, never shared, and only signs
messages) cannot be derived from knowing the public key. This discretion is made
possible by the type of special mathematics and algorithms used to generate the
private and public key pair that is used to sign and verify the message.
With asymmetric
authentication, a chain of trust between sensors, ECUs, gateways, domain/area
controllers, and other nodes can be established. That chain ultimately links back to a trusted
device called a trust anchor. All nodes on the chain of trust authenticate the next
node using sign-verify algorithms, so if the trust anchor is trusted, then all
the nodes on the chain can also be trusted, without storing a pre-shared secret
key. This increases both security and
manufacturing flexibility, which are two very important values for the
automotive industry.
Both symmetric
and asymmetric methods will require some type of personalization, and that must
happen in a secure way at every step in the supply chain including at OEM
factories, Tier 1 and Tier 2 suppliers, distributors, dealers, and aftermarket
suppliers.
AMS is powerful because it assures visibility at every step in the
supply chain (and is easy to implement).
AMS enables device manufacturers and silicon foundries to:
1. Improve the management and control of
electronic serial numbers
2. Securely inject cryptographic keys into
devices
3. Use keys and IDs for feature selection
4. Fight cloning and counterfeiting
5. Track yield data
Security and
control is gained by serializing (tagging) individual silicon chips with
cryptographic identities. Those tagged
dice can be tracked throughout the production process as they pass across
multiple outsourced contractors. AMS ensures all
the touch points can be easily secured.
Secure appliances being
deployed at remote sites enables visibility and control.
The diagram
shows that the AMS Controller is secured in the operations headquarters.
AMS
Appliances operate in the outsourced manufacturing sites. AMS Appliances
communicate with the local automated test equipment (ATE) in the production
facilities.
The AMS Agent runs inside the manufacturing test
program installed in the ATEs at the manufacturing sites.
The Asset
Control Core is an optional IP block built into an ASIC
chip (or FPGA), which acts as a feature and key lockbox. Adding the Asset
Control Core and provisioning it via the AMS system provides an extremely high
level of end-to-end manufacturing and feature provisioning
security. AMS also works with a wide range of
key storage methods beyond ACC, of course.
Using
AMS provides many benefits to manufacturers across automotive, IoT, and other
segments as noted in the chart.
AMS anchors trust by guaranteeing that devices are secure at every
step in the supply chain, and that is where end-to-end security starts.
No comments:
Post a Comment