Production Key Server for Secure Key Management
Embedded systems are taking on more and more functions. The large number of ECUs in vehicles is a prime example, with their software coordinating more and more powertrain, safety, and convenience functions. Previously, IT systems in vehicles were isolated and independent. Now it is time to provide connectivity to the outside digital world in order to take advantage of the security and service potential of Car-to-X communication, or of Firmware-over-the-Air updates (FOTA).
Opening up to the outside world harbors not only opportunities, but also new security risks. Negligent or willful tampering with embedded systems in vehicles will become possible if we fail to protect them reliably. Permission for digital data exchange must be made dependent on an appropriate authentication with cryptographic keys and certificates. However, providing and implementing these keys and certificates in production, as well as managing them over the entire life of the protected products, is challenging – especially in business areas that rely on globally distributed production and supply chains and on a diverse array of supplier structures, such as the automotive industry. To date, there have been two different approaches that either decentralize the provisioning of cryptographic data (keys, certificates, etc.) or manage it from a central location. To avoid the disadvantages and security risks of these approaches, ESCRYPT is following a third path, which combines a centralized backend – the Key Management Solution (KMS) – with decentralized key injection on Production Key Servers (PKS) in the plants. This guarantees not only maximum availability and low latency times, but also optimum protection of cryptographic data, as every PKS is protected against unauthorized access by a powerful Hardware Security Module (HSM) that is suitable for industrial use, and appropriate security software. Furthermore, since the PKS is only occasionally in contact with the backend – to synchronize the data and perform updates – this approach offers the greatest possible independence from the quality of the internet connection. The frequency of this exchange is adjustable.