1、PUBLICNXP,THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V.ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS.2020 NXP B.V.S E P T E M B E R 2 0 2 3Steffen LorenzSAFE AND SECUREMACSEC IMPLEMENTATION IN THE CONTEXT OF ISO26262ETHERNET&I

2、P AUTOMOTIVE TECHNOLOGY DAY1PUBLICCAN WE TRUST MODERN CARS?SECURITY IS A MUST-HAVE FOR VEHICLES-2PUBLICAGENDASecurity in automotive-MACsec in a nutshellFunctional SafetyFuSa MACsecSummary and conclusion 3PUBLIC3PUBLICNXP,THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF N

3、XP B.V.ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS.2020 NXP B.V.Security in automotiveMACsec in a nutshell4PUBLICNEW E/E ARCHITECTURES ARE EMERGING TO MANAGE INCREASING HARDWARE AND SOFTWARE COMPLEXITYADASConnectivity+IVIVehicle ComputerService-OrientedZoneService-

4、OrientedZoneService-Oriented ZoneService-Oriented ZoneService-OrientedZoneService-Oriented ZoneADASConnectivity+IVIDrivetrainBody+GatewayBodyZoneBodyZoneBodyZoneBodyZoneADASConnectivity+IVIVehicle ComputerX-domainZoneX-domain zoneX-domain zoneX-domain zoneGatewayADASConnectivityBodyIVIDrivetrainDOMA

5、INBODY-ZONALX-DOMAIN ZONALSDV-OPTIMIZEDCreates logical separation to isolate processing of domain functions with static network policiesCreates physical separation for body domain functions enabling smart data and power distribution and reducing wiring/weight/complexityCreates physical separation fo

6、r cross-domain functions in zones for further wiring/weight/complexity reduction using distributed compute architectureCentralized,service-oriented compute architecture with zones supporting SDV SW deployment and further wiring optimization5PUBLICCORE SECURITY PRINCIPLES FOR DEFENSE IN DEPTHMultiple

7、 layers of protection in any E&E network!To mitigate the risk of one component of the defense being compromised or circumvented Regardless of the actual vehicle network architecture and implementation010110SECURE DOMAIN ISOLATIONSECURE EXTERNAL INTERFACESSECURE INTERNAL COMMUNICATIONSECURE SOFTWARE

8、EXECUTION0101106PUBLICSCOPE OF NETWORK SECURITYE/E-Architectures are moving away from fixed function boxesData is shared,aggregated,pre-and post-processed in different locations of the networkScope of Network Security:Authenticity and Integrity of dataData originated from the expected sender(trusted

9、 source)Data was not modified on its wayConfidentiality of dataPrivacy of communication by data encryption per AES standard2 different types of secure associations:Hop-to-hop(or point-to-point)End-to-endEnsure authenticity and integrity of the data from source to destination,across multiple hopsExam

10、ple:Camera Node in Zonal NetworkHop-to-hopEnd-to-endCamera nodeZonal GWVehicle ComputerIVIExcerpt:7PUBLICHOW DOES MACSEC INTERACT WITH HOST?MACsec 802.1AE tasks:With MACsec enabled,all data or control traffic(except for 802.1x packets)gets blocked until session is secured Establish Secure Channel(TX

11、,RX),Secure Channel IdentifierEstablish and maintain secure associations by exchanging temporary association key(key rotation)On transmit:Add SecTag(MAC Security Tag,8-16B)Add ICV(Integrity Check Value,8-16B)Optional:Payload encryptionOn receive:Decrypt the packetsCheck SecTag authenticated link par

12、tnerCheck integrity modified in transmitRemove SecTag and ICVHost runs EAP and IEEE 802.1X protocol Port-Based Network Access Control-Authenticating/authorizing the supplicant device-Key exchange management-Configuration/provision of session keys to PHY in clear-Make provision for MACsec overheadMAC

13、sec EtherTypeSecTagxMIIMDIxMIIBASE-T1Host ControllerxMIIMDIxMIIBASE-T1Host ControllerNode#1Node#2MACsecxMIISMISMISecure ChannelPreambleDMASMAPayloadFCSPreambleDMASMAMACsecEtherTypeSecTagSFDSFDPayload(Optionally Encrypted)ICVFCSEtherTypeMACsec8PUBLIC8PUBLICNXP,THE NXP LOGO AND NXP SECURE CONNECTIONS

14、FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V.ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS.2020 NXP B.V.Functional Safety9PUBLICExposureISO 26262 The Science of Quantifying RiskControllabilitySeverityCan the hazard be controlled?How much harm is done?ISO 26262,part

15、1:“absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems”Inherent RiskASIL AASIL BASIL CASIL DReduce risktowards absence of unreasonable riskHow often is it likely to happen?QMASIL Automotive Safety Integrity level1 0PUBLIC Performed on item level Requirements

16、 assigned in Safety concept to ensure safety goals Inherited to lower-level sub-system/components Typically relevant on EthernetUnintended frame/data insertionUnintended frame corruptionUndetected frame lossUnintended frame delay,repetition or sequencingMasquerade or incorrect addressing of informat

17、ionExposureControllabilitySeverityCan the hazard be controlled?How much harm is done?Inherent RiskHow often is it likely to happen?Hazard Analysis&Risk AssessmentFUNCTIONAL SAFETY1 1PUBLICHOW THE NETWORKING IC BRINGS SAFETY TO THE ZONEPrevent FailureHigh reliabilityFreedom from interferencePredict F

18、ailure(Self-)Diagnostic featuresReact to FailureImproved response time to increase FTTI marginEven correct some failuresNetworking ICs are not the only part of the communication chain,E2E will be needed Vehicle service availability improved by ensuring availability of communication services in the v

19、ehicle fail operational systems need more than E2ENetworking ICs can:1 2PUBLICIf a safety mechanism is not working,the related fault gets uncovered It is a multiple-fault,but occurrence of two faults could be spread over long timeProbability of two independent faults happening at similar time is low

20、Much higher when no time constraintThis creates a latent faultTo prevent this,on regular base(e.g.startup)the safety mechanism is proven to work,by e.g.BISTFunctional checkContributes to the Latent fault metricLATENT FAULTSSource:ISO26262-5:20181 3PUBLIC1 3PUBLICNXP,THE NXP LOGO AND NXP SECURE CONNE

21、CTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V.ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS.2020 NXP B.V.FuSa MACsecSafe&Secure1 4PUBLICMACSEC ADDS NEW FAILURE MODESAdding a security measure increases the complexity and silicon areaData runs through additional

22、 processingAdditional configuration This adds new failure modes more things can go wrongMACsec(802.1AE)MACPHYData1 5PUBLICFAILURE MODESMACsec 802.1AE tasks:With MACsec enabled,all data or control traffic(except for 802.1x packets)gets blocked until session is secured Establish Secure Channel(TX,RX),

23、Secure Channel IdentifierEstablish and maintain secure associations by exchanging temporary association key(key rotation)On transmit:Add SecTag(MAC Security Tag,8-16B)Add ICV(Integrity Check Value,8-16B)Optional:Payload encryptionOn receive:Decrypt the packetsCheck SecTag authenticated link partnerC

24、heck integrity modified in transmitRemove SecTag and ICVMACsec EtherTypeSecTagPreambleDMASMAPayloadFCSPreambleDMASMAMACsecEtherTypeSecTagSFDSFDPayload(optionally encrypted)ICVFCSEtherTypeSecure channel depends on correct configurationAdding content to the frame will require a new FCSEncryption proce

25、sses whole dataSoftware trusts to receive frame decrypted and received on correct secure channel 1 6PUBLICSAFETY GOALSFrames must not be forwarded with corrupted integrityProtect the data during processingInvalidate FCS of corrupted frame to prevent FCS escape MACsec(802.1AE)DataProcessingFCSConfigu

26、ration&Key1 7PUBLICSAFETY GOALSFrames must not be forwarded with corrupted integrityProtect the data during processingInvalidate FCS of corrupted frame to prevent FCS escape Frames must not be forwarded to incorrect secure channelProtect configurationLatent fault check on processing/configuration MA

27、Csec(802.1AE)DataProcessingFCSConfiguration&KeyLatent fault check1 8PUBLICSecurity is a must-have for vehicles,especially for SDVs MACsec is one of the ingredients for multi-layer protectionFunctional safety is another must-have in E/E architectures A safe MACsec has to fulfill certain safety goals and should allow for latent fault checksIt will help to keep the secure network safe and increase its availability SUMMARY AND CONCLUSIONS1 9PUBLIC