Since ECUs serve as the central nervous system of a vehicle, ensuring secure communication — whether it’s between ECUs onboard or with offboard Volvo back-office servers — is crucial for maintaining vehicle functionality and security. This involves ensuring that all transmitted data remains confidential, untampered, and consistently available when needed, and this is where my team — PKI Services — comes into play. We adhere to the principles of the CIA model — Confidentiality, Integrity, and Availability — to address these challenges.
Confidentiality: To keep the data confidential from unauthorized parties, we use encryption.
Integrity: To make sure that the data has not been tampered with, we use signing.
Availability: To make the system readily available, we make sure to have retry mechanism for failures, monitor our systems, etc.
This article highlights how I together with my team ensure the confidentiality and integrity of ECU communications using the Public Key Infrastructure (PKI) at Volvo Group Connected Solutions by leveraging PKI, we create a secure framework that protects the ECUs from cyber threats. We will explore the crucial role of PKI in our operations and the information security principles we integrate into our solution, which is part of a larger PKI solution at Volvo Group.
Asymmetric cryptography is a branch of cryptography that enables secure communication between two parties in a network using a key pair: a public key and a private key. With the use of the key pair, the transmitted data between two parties or more can remain confidential through encryption and decryption. The reason it’s called asymmetric encryption is because the key used to encrypt the data is different from the key used to decrypt it, unlike symmetric encryption where the same key is used for both encryption and decryption.
Public key: This key is used to encrypt outgoing messages and can be shared openly with anyone who needs to send messages to the recipient holding the private key.
Private key: This key is used to decrypt incoming messages from those who have your public key and must always be kept secret and secure.
But how does this de/encryption process work? Keys are merely tools; encryption and decryption are operations where data is processed through a function to produce a result. In this context, we use encryption algorithms, which handle the actual process of encryption and decryption using the keys. Examples of encryption algorithms include RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography).
With the use of OpenSSL which is an open-source tool used for implementing secure communications and provides various cryptographic operations, I generated this keypair using the ECC algorithm to see how it can look in practice:
Digital Signatures
The messages are encrypted and decrypted, ensuring secrecy between the two parties. However, if someone gains access to App’s public key, they could tamper with the encrypted message or replace it with another encrypted message. So, how does App ensure that it’s genuinely receiving the message from the ECU? To guarantee the integrity of the messages, a digital signature is added.
Digital signatures are encrypted hashes of the messages. The ECU creates a hash of the message using a hash function (such as SHA-256, SHA-384, etc.). This hash serves as a unique digital fingerprint of the message. The ECU then signs the hash using an encryption algorithm, employing its private key to generate a digital signature. Continuing with the previous example, the ECU uses its private key to sign outgoing messages, and App uses the ECU’s public key to verify the signature. When verifying the signature, App recalculates the hash of the received message using the same hash function. Then, App decrypts the digital signature using the ECU’s public key to obtain the original hash created by the ECU. If the recalculated hash matches the decrypted hash, it confirms that the message has not been altered and was indeed signed by the ECU.
I created a text file with a sentence, generated a hash of the file, and then signed it using the same keypair I generated in the previous example.
Check out this very detailed guide on how to generate a keypair, a hash, and a signature using OpenSSL! Link
As with most software systems, ensuring availability is a top priority. We achieve this through implementing several key measures commonly used in software systems, such as retry mechanisms for handling request failures, continuous and thorough system monitoring, and setting up alerts to always detect issues or potential issues as quickly as possible. These alerts include metrics related to latency, request rates, the number of errors, and various specific scenarios deemed unusual behavior in different parts of the system. Additionally, we scale our system in anticipation of traffic loads that are higher-than-normal when necessary, and we conduct regular stress testing to assess how much load our system can handle as it continues to grow in size and complexity.
Public Key Infrastructure (PKI)
Now that we can establish secure communication between the ECU and App using asymmetric cryptography and digital signatures, let’s address the next question. We know that the private key must always remain confidential, while the public key is shared openly. However, how can we trust that this public key is being used by a valid, expected, or trusted ECU? How do we verify the identity of the ECU associated with this public key? To achieve this, we use digital certificates, much like how we use ID cards or passports to verify our identities in the physical world. These digital certificates are issued and stored by trusted Certificate Authorities, and they verify the ownership of a public key. When the ECU sends a message to App, it sends both its digital certificate and a digital signature of the message, so App will use the public key provided in the ECU’s certificate to verify the digital signature.
The hierarchical structure of Certificate Authorities (CAs) responsible for issuing and managing certificates is essential. Within this framework, Registration Authorities (RAs) also play a pivotal role in managing certificates and upholding the system’s integrity. Serving as intermediaries between entities (such as ECUs in our context) and the CA, RAs verify the identity of ECUs requesting digital certificates. Upon successful validation, RAs will forward the certificate requests to the CA to issue the digital certificates.
How everything comes together in our solution
As mentioned previously, we are part of a larger PKI solution at Volvo, and we are responsible for issuing digital certificates primarily to ECUs on vehicles, and occasionally for infrastructure. We manage two key components: a repository of ECU public keys and the Registration Authority (RA). The components run on Amazon EC2 instances which are cloud-based AWS services, complemented by CloudHSM — another AWS service — that provides secure key storage and management, and cryptographic operations. With the help of CloudHSM, we keep our keys secure and perform some of the cryptographic operations that have been mentioned earlier such as signing messages.
To provide the issuance of digital certificates for ECUs, the process starts with ECU suppliers reporting ECUs’ information along with their public keys to our key repository where we store this information. This allows us to validate the digital signatures on certificate requests coming from the ECUs because it requires their authentic public keys to verify them as previously explained in the Digital Signatures section. These ECU reports are made way before the ECUs start requesting certificates.
Once the ECUs start requesting certificates, they will be received by our Registration Authority which performs a series of validations to verify various aspects, such as the presence of the ECU in our key repository, the identity of the vehicle that the ECU is mounted on, etc. If the certificate requests pass all these validations, we then forward them to our Certificate Authorities (CAs), which are managed by an external company. RA is responsible for more than just processing certificate requests; it also manages certificate acknowledgment and renewal requests from the ECUs. Additionally, RA has the authority to revoke old or invalid certificates according to agreed-upon criteria. At last, upon successful issuance by the CAs, the digital certificates are sent to RA, which then forwards them to the ECUs.
Final thoughts
While this provides a broad overview of the solution and its workings, there is much more that goes into it, especially since the system has been evolving since I joined the team. One example, we are integrating multiple types of digital certificates (over five types as of now), whereas there were only two types of them when I first joined, and these different types could be specific to certain types of ECUs, so the increase of the complexity is inevitable. However, we do our best to accommodate these differences in a maintainable way such that previously established certificate or ECU types are not affected by these new changes, and this of course applies to all the new functionalities and features that we introduce.
What is the role of ECUs in vehicle?
Electronic control units (ECUs) serve as the central nervous system of a vehicle, ensuring secure communication between ECUs onboard or with offboard servers. This is crucial for maintaining vehicle functionality and security.
How does PKI Services ensure the confidentiality of ECU communications?
PKI Services use encryption to keep data confidential from unauthorized parties. This involves using asymmetric cryptography, which employs a key pair (public and private keys) to encrypt and decrypt data.
What measures are taken to ensure the integrity of ECU communications?
To ensure data integrity, PKI Services use digital signatures. A digital signature is an encrypted hash of the message, which verifies that the message has not been altered and confirms the identity of the sender.
How is the availability of the system maintained?
The system’s availability is maintained through retry mechanisms for failures, system monitoring, and other measures to ensure that the system is readily available when needed.
What is the role of digital certificates in PKI?
Digital certificates verify the identity of the ECU associated with a public key. They are issued and stored by trusted Certificate Authorities (CAs) and are used to ensure that the public key is being used by a valid, expected, or trusted ECU.
Bio:
I’m a software engineer at Volvo Group Connected Solutions and have been working for two years now since graduation. My job has ignited my interest in cybersecurity, and I love the balance it offers between individual and team accomplishments. After work hours, I indulge in various creative outlets like playing musical instruments, graphic design, drawing, and baking!