Automotive Cryptography Fundamentals - Automotive Cybersecurity

Symmetric Cryptography in Automotive

Algorithm	Standard	Use Case	Performance (Aurix TC3xx HSM)
AES-128-GCM	NIST FIPS 197 + SP 800-38D	AEAD: bulk encryption + authentication (TLS, MACsec)	~400 MB/s hardware-accelerated
AES-128-CMAC	NIST SP 800-38B	Message authentication only; SecOC CAN MAC	~600 MB/s hardware-accelerated
AES-128-CBC	NIST FIPS 197	SHE M2 key encryption during CMD_LOAD_KEY	~500 MB/s hardware-accelerated
ChaCha20-Poly1305	RFC 8439	TLS cipher alternative on platforms lacking AES hardware	~200 MB/s SW on Cortex-M4

⚠️ AES-GCM Nonce Must Never Repeat Per Key

AES-128-GCM uses a 96-bit IV (nonce). If the same nonce is ever reused with the same key, an attacker can recover both plaintexts AND the authentication key -- the entire session is cryptographically broken. For automotive ECUs, use a monotonically incrementing counter as nonce, persisted to NVM before each power-off. Never use a counter that resets to zero on ECU reset without NVM recovery: the reuse of nonce 0 after reset breaks GCM security completely.

Asymmetric Cryptography

Algorithm	Standard	Signature Size	Verify Time	Use
RSA-2048	PKCS#1 v2.2 PSS	256 bytes	~1 ms (Cortex-M7 @ 400 MHz)	Legacy; avoid for new deployments
ECDSA-P256	FIPS 186-4	64 bytes	~0.1 ms	Preferred: firmware signing, TLS, certificates
ECDSA-P384	FIPS 186-4	96 bytes	~0.2 ms	V2X certificates; higher-security backend contexts
ECDH-P256	RFC 7748	--	--	TLS ephemeral key exchange; IKEv2 DH group 19
ML-KEM (Kyber)	NIST FIPS 203 (2024)	~1KB ciphertext	~0.5 ms	Post-quantum target 2028–2032 per SAE J3101

Hash Functions and Key Derivation Functions

Pythonhkdf_hierarchy.py

#!/usr/bin/env python3
# HKDF key derivation hierarchy for automotive SecOC key management
import hmac, hashlib

def hkdf_extract(salt: bytes, ikm: bytes) -> bytes:
    return hmac.new(salt, ikm, hashlib.sha256).digest()

def hkdf_expand(prk: bytes, info: bytes, length: int) -> bytes:
    output = b""; t = b""; counter = 1
    while len(output) < length:
        t = hmac.new(prk, t + info + bytes([counter]), hashlib.sha256).digest()
        output += t; counter += 1
    return output[:length]

def derive_key(root: bytes, context: str, length: int = 16) -> bytes:
    prk = hkdf_extract(b"automotive-v1", root)
    return hkdf_expand(prk, context.encode(), length)

root_key = bytes.fromhex("0102030405060708090a0b0c0d0e0f10")
vin = "WBA12345678901234"

vms            = derive_key(root_key,  f"VehicleMasterSecret|{vin}")
esk_can0_tx    = derive_key(vms,       "ECU_TCU|CAN0|TX")
esk_can0_rx    = derive_key(vms,       "ECU_TCU|CAN0|RX")
esk_gw_can1_tx = derive_key(vms,       "ECU_GW|CAN1|TX")

print(f"VMS:            {vms.hex()}")
print(f"TCU CAN0 TX:    {esk_can0_tx.hex()}")
print(f"TCU CAN0 RX:    {esk_can0_rx.hex()}")
print(f"Gateway CAN1:   {esk_gw_can1_tx.hex()}")
print("Compromise of one ESK reveals NOTHING about VMS or other ECU keys")

Automotive-Grade Random Number Generation

Ctrng_interface.c

/* AUTOSAR Csm TRNG: Infineon Aurix TC3xx eHSM */
#include "Csm.h"

/* TRNG quality: NIST SP 800-90B continuous health tests in HSM:
   - Repetition Count Test: detects stuck TRNG output
   - Adaptive Proportion Test: detects TRNG bias
   TRNG feeds HMAC-DRBG (SP 800-90A) for higher throughput       */

Std_ReturnType Generate_Secure_Random(uint8* buf, uint32 bytes)
{
    Std_ReturnType result = Csm_RandomGenerate(
        CSM_JOB_RANDOM_256BIT, buf, bytes);

    if (result != CSM_E_OK) {
        /* TRNG failure: do NOT fall back to software PRNG */
        Dem_ReportErrorStatus(DEM_EVENT_CSM_TRNG_FAIL, DEM_EVENT_STATUS_FAILED);
        return E_NOT_OK;
    }
    return E_OK;
}

/* PROHIBITED: software PRNG seeded from cycle counter
   - Cycle counter predictable from timing side channels
   - 32-bit seed space = only 2^32 possible sequences = trivially brute-forced
   - Use Csm_RandomGenerate() ONLY; never srand(DWT->CYCCNT)             */

Summary

AES-128-GCM (AEAD bulk crypto) and AES-128-CMAC (MAC-only) are the two core symmetric algorithms -- both hardware-accelerated on automotive HSMs. ECDSA-P256 is the asymmetric standard: 64-byte signatures verify in 0.1 ms, comfortably within boot timing budgets. HKDF provides the key derivation hierarchy allowing one root key to derive per-ECU, per-bus, per-direction session keys with cryptographic isolation. Post-quantum migration to ML-KEM and ML-DSA is on the automotive roadmap for 2028–2032 -- start tracking SAE J3101 for implementation guidance.

🔬 Deep Dive — Core Concepts Expanded

This section builds on the foundational concepts covered above with additional technical depth, edge cases, and configuration nuances that separate competent engineers from experts. When working on production ECU projects, the details covered here are the ones most commonly responsible for integration delays and late-phase defects.

Key principles to reinforce:

Configuration over coding: In AUTOSAR and automotive middleware environments, correctness is largely determined by ARXML configuration, not application code. A correctly implemented algorithm can produce wrong results due to a single misconfigured parameter.
Traceability as a first-class concern: Every configuration decision should be traceable to a requirement, safety goal, or architecture decision. Undocumented configuration choices are a common source of regression defects when ECUs are updated.
Cross-module dependencies: In tightly integrated automotive software stacks, changing one module's configuration often requires corresponding updates in dependent modules. Always perform a dependency impact analysis before submitting configuration changes.

🏭 How This Topic Appears in Production Projects

Project integration phase: The concepts covered in this lesson are most commonly encountered during ECU integration testing — when multiple software components from different teams are combined for the first time. Issues that were invisible in unit tests frequently surface at this stage.
Supplier/OEM interface: This is a topic that frequently appears in technical discussions between Tier-1 ECU suppliers and OEM system integrators. Engineers who can speak fluently about these details earn credibility and are often brought into critical design review meetings.
Automotive tool ecosystem: Vector CANoe/CANalyzer, dSPACE tools, and ETAS INCA are the standard tools used to validate and measure the correct behaviour of the systems described in this lesson. Familiarity with these tools alongside the conceptual knowledge dramatically accelerates debugging in real projects.

⚠️ Common Mistakes and How to Avoid Them

Assuming default configuration is correct: Automotive software tools ship with default configurations that are designed to compile and link, not to meet project-specific requirements. Every configuration parameter needs to be consciously set. 'It compiled' is not the same as 'it is correctly configured'.
Skipping documentation of configuration rationale: In a 3-year ECU project with team turnover, undocumented configuration choices become tribal knowledge that disappears when engineers leave. Document why a parameter is set to a specific value, not just what it is set to.
Testing only the happy path: Automotive ECUs must behave correctly under fault conditions, voltage variations, and communication errors. Always test the error handling paths as rigorously as the nominal operation. Many production escapes originate in untested error branches.
Version mismatches between teams: In a multi-team project, the BSW team, SWC team, and system integration team may use different versions of the same ARXML file. Version management of all ARXML files in a shared repository is mandatory, not optional.

📊 Industry Note

Engineers who master both the theoretical concepts and the practical toolchain skills covered in this course are among the most sought-after professionals in the automotive software industry. The combination of AUTOSAR standards knowledge, safety engineering understanding, and hands-on configuration experience commands premium salaries at OEMs and Tier-1 suppliers globally.