View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Secure Software Upload in an Intelligent Vehicle via Wireless Communication Links Syed Masud Mahmud, Member, IEEE, Shobhit Shanker, Student Member, IEEE Irina Hossain, Student Member, IEEE necessary, the performance of its vehicles by remotely Abstract— The demand for drive-by-wire, telematics, adjusting some software parameters in the vehicles’entertainment, multimedia, pre-crash warning, highway electronic modules. Updating software modules in theguidance, remote diagnostic, etc. will significantly increase the future intelligent vehicles, on a regular basis, will becomplexity of a vehicle’s software modules. From time to time,the vehicle’s software may need to be updated due to many required to keep the vehicles compatible with thereasons such as the introduction of new features in vehicles, infrastructure of the intelligent transportation system.changing the navigation map, fixing software bugs, etc. Remote software upload, via wireless communicationSoftware updates must be done in secure modes to avoid any links, has many advantages over upload at a service station.future disasters due to malfunctions of the vehicle. In this Some of the advantages are as follows:paper, we propose an architecture for secure software uploads • The consumers do not need to take their vehicles toin vehicles. We provide a detailed description of the securesoftware upload process. service stations. Thus, remote software upload operations will save consumers’ valuable time. Key words— Software update, security, key management, • The personnel at the service stations do not need tointelligent vehicles. spend time on vehicles on an individual basis eliminating labor costs from the auto manufacturers as I. INTRODUCTION well as from the consumers.A BOUT half a century ago a vehicle was mostly a mechanical device. Today, a significant part of avehicle’s manufacturing cost goes towards the • The auto manufacturers can immediately fix bugs or upload new features in software modules without being delayed for a long period of time, which mayimplementation of electronic components. The demand for save a significant amount of money from legal costs.drive-by-wire, telematics, entertainment, multimedia, pre- To upload software in vehicles, it is critically importantcrash warning, highway guidance, remote diagnostic, etc. that this be done in a secure environment. Otherwise, thewill significantly increase the complexity of in-vehicle system would be susceptible to security attacks, which willcommunication networks, hardware and software modules. compromise its safety and functionality. This paperFrom time-to-time, it will be necessary to upgrade vehicles’ presents a mechanism for secure software upload in ansoftware modules. For example, the map of a vehicle’s intelligent vehicle. The scope of this paper is softwarenavigation system may need to be updated when new upload for one vehicle only. Thus, if the same softwareroads, houses and offices are built. A company may need to needs to be uploaded in multiple vehicles, then the uploadmonitor its newly designed vehicles, via wireless operation must be repeated for each vehicle one at a time.communication links, to determine the performance of the The rest of the paper is organized as follows. Section IIvehicles in terms of fuel efficiency, emission and other presents some basic materials on secure communications.driving conditions. The company can then improve, if Section III describes our architecture. Section IV shows system requirements, and Section V presents the Manuscript received December 15, 2004. conclusions. Syed Masud Mahmud is with the Department of Electrical andComputer Engineering, Wayne State University, Detroit, MI 48202 USA II. SOME BASIC MATERIALS(Phone: 313-577-3855; fax: 313-577-1101; e-mail:email@example.com). During the last several years, interest in using the Shobhit Shanker is with the Department of Electrical and Computer wireless communication technologies have grownEngineering, Wayne State University, Detroit, MI 48202 USA (e-mail: significantly. Bluetooth features are becoming firstname.lastname@example.org). Irina Hossain is with the Department of Electrical and Computer common in cell phones, PDAs, laptops, etc. More and moreEngineering, Wayne State University, Detroit, MI 48202 USA. (e-mail: homes are getting broadband connections and using Wi-Fiihossain@wayne.edu) technology for wireless in-home networking. The 0-7803-8961-1/05/$20.00 2005 587
automotive industry has also started introducing wireless the protocol of the outer packet, called the tunnel interface.technology, such as Bluetooth, for its in-vehicle C. Symmetric and Public Key Encryptionnetworking . If secure wireless networks can beimplemented at reasonable costs, then consumers’ demand There are mainly two types of encryption techniques: thefor in-vehicle wireless networks may increase significantly. symmetric-key and public-key encryptions . In theThe government may also mandate auto companies to have symmetric-key encryption, both parties use the same key towireless networks in vehicles so that the vehicles can encrypt and decrypt messages. In this encryption technique,communicate with each other to issue pre-crash warnings; both parties must have the same key in their system beforeand law-enforcing authorities can monitor vehicles’ they are going to exchange messages. The public-keyemission, speed and other items related to violations of encryption uses a combination of a private key and a publictraffic laws. key. A computer (say X) can send its public key to other Auto companies and suppliers must use secure wireless computers with which it wants to establishlinks to upload software in their vehicles. Otherwise, communications, but it will securely keep its own privatehackers may tamper with software code during the key. A message that is encrypted by the public key of X,uploading process, leading to possible disasters during the can only be decrypted by X using its private key. Theoperation of the vehicles. The current techniques that are encryption/decryption process using public/private keyused for setting up a secure communication link are mainly mechanism is very time-consuming compared to that usingclient-server based techniques such as SSL and VPN. Brief symmetric key mechanism. Normally, two parties use thedescriptions of these techniques are shown below. public/private key technique to exchange their symmetric key. For example, if another computer (say Y), which hasA. SSL (Secure Socket Layer) the public key of X, wants to establish a secure The SSL protocol is the Web standard for encrypting communication link with X, then Y generates a symmetriccommunications between users and SSL (secure socket key and sends it to X after encrypting it using the publiclayer) enabled e-commerce sites . The SSL layer runs on key of X. X then uses its private key to decrypt the messagethe top of TCP/IP layer. The SSL security protocol sent by Y, and collects the symmetric key from theprovides data encryption, server authentication, message decrypted message. After that, X and Y communicate usingintegrity, and optional client authentication for a TCP/IP the symmetric key generated by Y.connection. The SSL protocol includes two sub protocols: the SSL record protocol and the SSL handshake III. THE PROPOSED ARCHITECTURE FOR SECUREprotocol. The SSL record protocol defines the format used SOFTWARE UPLOADto transmit the data. The SSL handshake protocol involves Here we present and discuss the architecture for secureusing the SSL record protocol to exchange a series of software upload in vehicles’ electronic modules. Wemessages between an SSL enabled server and SSL enabled assume that all the vehicles are equipped with wirelessclient when they first establish a connection. This exchange interface units to communicate with the infrastructure ofof messages is designed to facilitate the actions like: the Intelligent Transportation System (ITS). A company’sauthentication of the server to the client, authentication of server can communicate with a selected group of vehiclesthe client to the server, selection of cryptographic via either the cellular network or the ITS infrastructure.algorithms that they both support, use of public key Since the cell phone towers cover almost all the roadencryption techniques to generate shared secrets, etc. systems of the country, the same tower can also be used asB. VPN (Virtual private network) the Intelligent Transportation Tower (ITT). VPN is a private network that uses a public network A. Authentication Keys(usually the Internet) to connect remote sites or users We assume that at the time of manufacturing a vehicle, atogether . Instead of using a dedicated, real-world set of authentication keys is installed in the vehicle. Theconnection such as a leased line, a VPN uses "virtual" same set of keys is also kept in a central server. Every timeconnections routed through the Internet from the companys a vehicle is going to be authenticated by an ITT, the ITTprivate network to the remote site or employee. VPN gets the set of keys of the vehicle from the central server,mainly uses IPSec (internet protocol and security) protocol, and uses one key to authenticate the vehicle. Differentwhich in turn uses the tunneling method for making data authentication keys are used to authenticate the vehicle atpackets immune to attacks. IPSec can encrypt data between different times. When all the keys of the set are used forvarious devices, such as router-to-router, firewall-to-router, authenticating the vehicle, a new set of keys is generatedPC-to-router, PC-to-server, etc. Tunneling is the process of and sent to the vehicle. The new set of keys is also kept inplacing an entire packet within another packet and sending the central server. Successive authentications of the vehicleit over a network. The network and both parties understand are done using the new set of keys. After authenticating the 588
vehicle, the ITT or the central server issues a symmetric the vehicle can establish a secure link using one of thesekey to the vehicle. The ITT and/or the central server can link keys, say P1. Other link keys will be used to establishsecurely communicate with the vehicle using the symmetric future secure links between the vehicle and the supplier.key. Since a given link key is not going to be used more than once, both the supplier and the vehicle delete the key P1B. Key Management for Software Upload from the set of link keys after they have established aAssume that automotive company X wants to upload secure link for the first time. After that, the supplier and thesoftware in one of its vehicles (say Vehicle V). Let Y be vehicle generate some symmetric encryption keys. Usingthe supplier of the software. X generates a set of link keys these encryption keys, the supplier can send encrypted(P1, P2, . . , PN) and sends it to Y using a secure link such as software to the vehicle. Figure 1 shows the key transfer andSSL or VPN. Note that the link keys will be used to software upload process. Since each vehicle has its own setestablish secure links between Supplier Y and the target of keys, neither the vehicle nor the software vendor canVehicle V. X then securely sends the same set of link keys send any unauthorized software to other vehicles withoutto Vehicle V using either the cellular network or the the consent of the automotive company.infrastructure of ITS. Now, both Vehicle V and theSupplier Y have the same set of link keys. The supplier and _________________________________________________________________________________________________ Automotive Step1: Link keys P1, P2, . . PN, are sent in secure Company mode using SSL, VPN or other technology. Supplier X Y Step2: Vehicle V Step3: Link keys P1, P2, . . PN, are sent in secure a. A secure link is established using one link key. mode using the previously exchanged b. The supplier and the vehicle exchange a set of symmetric encryption key. symmetric encryption key(s). c. The supplier sends software in encrypted mode. Figure 1: Key transfer and software upload process._________________________________________________________________________________________________ positive acknowledge signal to both X (automotive C. Sending Multiple Copies of the Software can company) and Y (supplier). If the two copies of the Significantly Improve the Security Level software are not same, then the vehicle asks the supplier to To increase the security level of the software upload retransmit the unmatched packets.process, we recommend that the supplier should send at To avoid hackers from detecting a predicted order ofleast two copies of the software to the vehicle. These two packet transmission, the packets of the software can be sentor more copies of the software must be sent after some in some random orders. In that case, even if a hacker canrandom time intervals. First, the supplier will establish a change one packet of the first copy of the software, it willsecure link with the vehicle using one of the link keys, and be difficult for the hacker to detect the same packet in thethen send a copy of the software. After a random time second copy of the software. As a result, it will be moreinterval, the supplier will again establish a secure link with difficult for the hacker to change the same packet in boththe vehicle using another link key, and send the second copies of the software.copy of the software. After receiving two identical copies of the software, the The vehicle must have memory buffers to keep copies of vehicle initiates a process for replacing the old software ofthe software. After receiving both copies of the software, a module by a copy of the new software. The process ofthe vehicle checks whether the two copies are exactly same. replacing the old software is initiated when the vehicle isSince the two copies of the software are sent from the not in motion and the ignition is off. If the vehicle is insupplier to the vehicle at two different times, it is very motion, then it may issue a warning to the driver indicatingunlikely that a hacker will be able to change both copies of that new software is ready to be loaded in a module. Thenthe software exactly at the same point in the code. Thus, it the driver may stop the vehicle and turn the ignition off atis very unlikely that the two copies of the software will be his/her convenience. The vehicle then keeps a backup copyexactly same if one or both of them are changed. If the two of the old software in a temporary buffer. After that, thecopies of the software are the same, the vehicle sends a vehicle loads the new software into a module. The backup 589
copy can be used to undo the upload operation if there are match, then the hacker was able to change both copies ofany problems with the vehicle’s functionality after the some packets (including the message digest). The vehicleupload operation. then asks the supplier only to send one or more copies of After successfully uploading the software in a vehicle, encrypted message digest. The supplier sends the additionalthe automotive company (X) decides whether or not to copy(copies) of the message digest after some random timekeep the remaining link keys in the vehicle. If X determines interval. After receiving the additional copy of the messagethat Y has no more software to upload, then X sends a digest, the vehicle compares it with the calculated messagesignal to the vehicle to delete the remaining link keys. This digest. If they match, the vehicle accepts the software.way, the vehicle can keep itself protected from any insider Otherwise, the vehicle rejects the software. Figure 2 showsattacks by the employees of Y. In the future, if Y wants to the flow diagram of the software upload process where twoupload another software in the vehicle, then X issues copies of the software are sent along with the messageanother set of link keys to both Vehicle V and Supplier Y, digest (MD) in each copy.and the entire process of software upload is repeated. D. Only One Copy of the Software Appended with a Vehicle received two copies of the software. Message Digest (MD). If only one copy of the software is to be sent, then thesecurity level of the upload process can be increased by Yes No Are the two copies same?appending a message digest (MD) with the software. Thesupplier can create a 128-bit message digest of the softwareusing the MD5 algorithm . The supplier can then encrypt Yes No Vehicle Received MD =the message digest and send it along with the software. On Computed MD? requeststhe other hand, the vehicle can also create a 128-bit retransmissionmessage digest based on the software received by the of unmatched Vehicle requests packets.vehicle. After that, the vehicle can decrypt the message retransmission of MDdigest sent by the supplier and compare it with itscalculated message digest. If both match, then the vehicle Yes No Vehiclecan accept the software. Received MD = receives This particular technique, which uses a message digest Computed MD? unmatched(MD), has some disadvantages over the other technique packets.that sends at least two copies of the software. If a hackercan successfully change one packet of the software, then Vehicle accepts Vehicle rejects the software. the software.the decrypted message digest will not match with thevehicle’s calculated message digest. As a result, thesupplier will need to retransmit the entire software, because Figure 2: Software upload algorithm.the supplier does not know which particular packet is F. Uploading Software in Multiple Vehicleschanged. If a hacker can successfully change a packet of Software upload in only one vehicle will be necessary ifevery transmission, then the vehicle will never be able to a particular vehicle has some unique problems with itsupload the software. functionality. Uploading software only in one vehicle is aE. Two Copies of the Software with a Message Digest unicast process. The scope of our current work, presented (MD) in this paper, is software upload in one vehicle only.A better way of uploading software in a vehicle would be However, if the automotive company wants to add newsending two copies of the software along with the message features to a large number of vehicles, then software uploaddigest in each copy. If some packets of the first copy operations will be required for multiple vehicles.(including the message digest) do not match with the Uploading software in multiple vehicles is a multicastcorresponding packets of the second copy, then the vehicle process. Many different multicast algorithms have beenasks the supplier to send the unmatched packets. After designed for mobile devices , . Some of thesereceiving two identical copies of the software, along with algorithms can be used to extend our work for softwarethe message digest, the vehicle calculates a message digest upload in multiple vehicles. We intend to do that in ourbased on the software received from the supplier. The future work.vehicle then compares this calculated message digest with G. Protection of Keys in the Servers of the Automotivethe message digest received from the supplier. If they Company and the Software Vendormatch, the vehicle accepts the software. If they do not All keys must be appropriately protected in the servers of 590
both the automotive company and the software vendor. the driver of the vehicle, a very low bandwidth (say 1However, this is not a unique problem with our work. The Kbyte/sec) link may be good enough. To avoid anysame problem exists in all security systems. For example, bandwidth limitations for the overall system, including thethe systems that use private- and public-key mechanisms supplier, cellular and ITS infrastructure, the software canmust guard the private keys. Whatever techniques and be transmitted at off peak hours (say after midnight) whenmechanisms are used to guard the private keys of a system, there may be very little traffic from other types ofsimilar techniques and mechanisms could be used to protect communication services.the vehicle keys in the servers of the automotive company C. Size of Encryption Keysand the software vendor. The keys must be kept in tamperresistant devices. However, since the scope of this paper Longer encryption keys need more CPU time to dodoes not deal with the protection of keys in servers, we do encryption and decryption than that needed by shorternot want to discuss this issue any further. encryption keys. However, longer keys provide better security than shorter keys. Let us compare the key lengthsH. The Wireless Gateway of a Vehicle for two different cases of software upload process to A vehicle must have a wireless gateway for it to receive provide the same level of security. In one case, longer keyssoftware via wireless links. This wireless gateway would be are used and only one copy of the software is sent from thelike an ECU (electronic control unit) of the vehicle. The supplier to the vehicle. In the second case, shorter keys arewireless gateway should have access to the vehicle’s wired used, but two copies of the software are sent from thebus (e.g. a CAN bus) so that software can be sent to the supplier. Let L1 and L2 be the length of keys for the firsttargeted ECU from the wireless gateway. When the ignition and second case, respectively. The probability that a packetis off, the wireless gateway should be in a low power −Lreceive mode to avoid battery draining. Upon detection of a of the first case will be changed is k 2 1 , where k indicatessignal for software upload, the wireless gateway will switch how fast the hacker can decrypt information compared toitself to the full power mode to communicate with the the vehicle. For example, if k =2 then the hacker cannearest ITT. After receiving the software the wireless decrypt information twice as fast as the vehicle. Let n begateway can save the software in its own buffer. Later on, the total number of packets in the software. The probabilitywhen the ignition is turned on, the software can be that the vehicle will receive all n packets in clean form istransferred to the targeted ECU. (1 − k 2 ) . Then, the probability that at least one packet − L1 n IV. SYSTEM REQUIREMENTS will be changed by the hacker is In this section, we show the requirements of memory ( p1 = 1 − 1 − k 2 − L1 ) n (1)size, bandwidth and length of encryption keys for secure Similarly, for the second case, where two copies of thesoftware upload operations. software are sent, the probability that the first copy will beA. Memory Requirement ( −L ) n changed is 1 − 1 − k 2 2 . The probability that the A vehicle needs two memory buffers: one to keep a second copy of the software will be changed in the samebackup copy of the current software and another one to −Lkeep a copy of the new software. The size of each buffer packet, as in the first copy, is k 2 2 . Hence, theshould be at least equal to the longest code of a vehicle probability that tampered software will be uploaded in the vehicle for the second case is ( ) )k 2module. Normally, the engine control module contains thelongest code. A buffer size of 5 Mbytes should be goodenough to hold the software of the engine control module. ( p 2 = 1 − 1 − k 2 − L2 n − L2 (2) To have the same level of security for both cases, weThus, the two buffers together need at most 10 Mbytes.B. Bandwidth Requirement have to make p1 = p 2 , i.e. ( ) n 1 − 1 − k 2 − L1 =Unlike vehicle-to-vehicle communication for pre-crash (1 − (1 − k 2 ) )k 2 − L2 n − L2 . n(n − 1) 2 −2 L1warning that requires high bandwidth, the bandwidth − L1requirement of a vehicle’s wireless link for uploading Hence, nk 2 − k 2 + ... =software is not a serious issue. The software doesn’t need 2to be transmitted from the supplier to the vehicle in a short −L n(n − 1) 2 −2 L2 period of time (say within a few minutes). The supplier can nk 2 2 − k 2 + ...k 2 − L2 (3)take as much time as needed to send the software to the 2 vehicle. Since the transfer process of the two copies of the Most of the e-commerce transactions through the internetsoftware from the supplier to the vehicle is transparent to use 128-bit keys. However, for any reasonable key size 591
− L1 the software. In our future work we would like to evaluate(say 40 bits or longer), the values of nk 2 and the trade off between m and m+1 copies of the software bynk 2 − L2 are very small. Ignoring the higher order terms of considering various performance parameters such as −L 2 −2 L 2 L −LEquation (3) we get nk 2 1 = nk 2 2 , i.e. 2 2 1 = k . FEMA, cost/benefit and time to deploy the upgradedHence, software. L1 log 2 k L2 = + (4) V. CONCLUSIONS 2 2 In this paper, we have presented architecture for secure Equation (4) shows the relationship between L1 software upload in vehicles. We proposed that the supplierand L2 to have the same level of security. In general, we should send at least two copies of the software to the vehicle. We have given a detailed description of keycan show that if the supplier decides to send m copies of exchange mechanisms and software upload process. If twothe software, then the following relationship must hold to or more copies of the software are sent, then shorter keysachieve the same level of security. can be used to obtain the same level of security that can be L1 (m − 1) log 2 k obtained with longer keys when only one copy of the Lm = + (5) software is sent. In other words, with the same size of keys, m m a significantly higher level of security can be obtained ifwhere, Lm is the length of encryption keys when m copies two copies of the software are sent to the vehicle, instead ofof the software are to be sent. Table I shows the size only one copy. The level of security can be furtherof Lm needed to achieve the same level of security for increased if the time interval between the transmission of two copies of the software is a random number with a verydifferent values of k (speed ratio of hacker’s computer) long average value. Since different authentication keys areand m (number of copies of the software to be sent by the used for different vehicles, neither a vehicle nor thesupplier). software vendor can upload software in any other vehicles without the consent of the automotive company.Table I: Size of Lm to achieve the same security level for REFERENCES different values of k and m .  “Top 10 Techno-Cool Cars”, IEEE Spectrum, February 2003, pp. 30 Size of Lm (in bits) for L1 = 128 bits –35.  A Frier, P. Karlton, and P. Kocher, “The SSL 3.0 Protocol,” k m=2 m=3 m=4 Netscape, Nov. 1996.  M.S Bhiogade, Secure Socket layer, IS 2002 Proc. of the informing 2 65 44 33 science IT Education Conf., June 19-21, 2002, Cork, Ireland, pp 8 66 45 35 0085-0090. 32 67 46 36 http://ecommerce.lebow.drexel.edu/eli/2002Proceedings/papers/Bhio g058Secur.pdf 128 68 48 38  How Virtual Private Networks Work. Website of how stuff works. 512 69 49 39 http://computer.howstuffworks.com/vpn.htm. 2048 70 50 41  ”Handbook of Applied Cryptography “ By A. Menezes, P. Van Oorschot and S. Vandstone. CRC Press 1996.  Ronald Rivest, “The MD5 Message-Digest Algorithm”, RFC 1321 In the above analysis, it is assumed that the hacker stays April 1992.with the vehicle all the time. However, it may not be  Sung-Ju Lee, “Routing and Multicasting Strategies in Wireless Mobile Ad hoc Networks,” Ph. D. Dissertation, Univ. of Californiapossible for the hacker to stay with the vehicle 24 hours a Los Angeles, 2000.day and 7 days a week. If the duplicate copies of the  Thomas Kunz and Ed Cheng, “On-Demand Multicasting in Ad-Hocsoftware are sent after some random and long average time Networks: Comparing AODV and ODMRP,” Proc. of the 22nd International Conf. on Distributed Computing Sys. (ICDCS’02),intervals (say 24 to 48 hours), then the hacker may not stay IEEE Comp. Society, 2002.near the vehicle when the vehicle will be receiving theduplicate copies of the software. Thus, in real-life, a muchhigher level of security can be achieved by sending two ormore copies of the software to the vehicle.D. Trade off between m and m+1 Copies of the Software When m+1 copies of the software are sent, the length ofthe keys is shorter than when m copies of the software aresent. Shorter keys need less time to do encryptions anddecryptions of the software. However, sending m+1 copiesof the software need more time than sending m copies of 592