Tuesday, April 18, 2017

All Security is Personal

Bill Boldt
Business Development Manager, Security

 To make any digital product secure it must have its own personality, which is crypto-speak for a unique digital identity.  This digital identity comes in the form of a cryptographic key, which is a binary number of a specified length that is assigned to and stored in a device, such as a memory or processor chip. In security operations, keys get used by mathematical algorithms to enable the three pillars of security; namely, confidentiality, data integrity, and authentication.  Crypto keys are considered valuable digital assets because a company’s brand equity is increasingly tied to the security of their products.  Product security is directly proportional to how securely the crypto keys are generated, transmitted, injected, and stored in devices. Such a process of key management and injection is called personalization (and it is also called provisioning).  The point here is that the factories where personalization happens must be made secure if the key--and the products and processes that subsequently use them--are to be secure. BlackBerry’s Certicom subsidiary offers a way to make factories secure with a product called the Asset Management System (AMS). 

AMS deploys secure equipment to remote factories to manage and inject cryptographic keys such that the keys (and thus the products they protect) remain secure from tampering, counterfeiting, and cloning.  Without AMS there would be multiple attack points in the supply chain allowing grey marketers access to valuable IP and products, particularly at various subcontractor sites. Vulnerabilities can be introduced at several points in the manufacturing flow of a semiconductor chip, including at wafer test, bonding and packaging, and chip testing. Personalization prevents subcontractors from overbuilding, copying, or cloning devices, designs, or firmware. Personalization via AMS ameliorates those vulnerabilities and thus enhances product trust and brand equity.

Certicom AMS makes it possible to add Digital Rights Management (DRM) and Conditional Access System (CAS) device personalization in a manner that  protects DRM and CAS keys at vulnerable (i.e. attackable) manufacturing stages.  Using AMS minimizes the risk from liquidated damages clauses contained in High Definition Content Protection (HDCP), Content Protection for Recordable Media (CPRM), Digital Transmission Content Protection (DTCP), Advanced Access Content System (AACS), and similar agreements. Certicom is the leading commercial solution for HDCP-enabled chip manufacturing.

Automotive Security Evolution

One of the most complex global supply chains is that of the automotive industry and all security for cars begins with securing this supply chain.  With connectivity and autonomous driving features gaining increasing traction, the main features of cars are literally being defined by software, and that software must be safe and trusted.  Therefore, it is essential to protect software in every module and system in a car— starting with secure personalization.  

Once a module is securely personalized it can be trusted to run cryptographic algorithms to provide the three pillars of security.  Arguably, the most important of the pillars is authentication which proves that the signals are being received from an authentic sender.  Authentication can be symmetric, asymmetric, or a combination of the two. 

Cryptographic security in cars is in its infancy and evidence shows that it will likely evolve over time, with symmetric authentication often being adopted initially, with asymmetric being added in later, especially as higher bandwidth buses are deployed such as Ethernet.   Symmetric authentication uses a shared secret key and is thus easier to implement, but there is a trade-off.  Shared keys must be distributed and stored beforehand.  In contrast, with asymmetric authentication there is no need to distribute and store a shared secret key.  Using shared keys presents more attack points than with asymmetric authentication, so symmetric authentication is considered relatively less secure.  Asymmetric authentication uses Public Key Cryptography, which allows a public key to be transmitted in the clear and used to perform authentication via algorithms that can mathematically prove that the sender is authentic.  Asymmetric authentication works because the sender’s private key (which is securely stored, never shared, and only signs messages) cannot be derived from knowing the public key. This discretion is made possible by the type of special mathematics and algorithms used to generate the private and public key pair that is used to sign and verify the message. 
With asymmetric authentication, a chain of trust between sensors, ECUs, gateways, domain/area controllers, and other nodes can be established.  That chain ultimately links back to a trusted device called a trust anchor. All nodes on the chain of trust authenticate the next node using sign-verify algorithms, so if the trust anchor is trusted, then all the nodes on the chain can also be trusted, without storing a pre-shared secret key.  This increases both security and manufacturing flexibility, which are two very important values for the automotive industry.

Both symmetric and asymmetric methods will require some type of personalization, and that must happen in a secure way at every step in the supply chain including at OEM factories, Tier 1 and Tier 2 suppliers, distributors, dealers, and aftermarket suppliers.

AMS is powerful because it assures visibility at every step in the supply chain (and is easy to implement).   

AMS enables device manufacturers and silicon foundries to:

1.     Improve the management and control of electronic serial numbers
2.     Securely inject cryptographic keys into devices
3.     Use keys and IDs for feature selection
4.     Fight cloning and counterfeiting
5.     Track yield data 

Security and control is gained by serializing (tagging) individual silicon chips with cryptographic identities.  Those tagged dice can be tracked throughout the production process as they pass across multiple outsourced contractors. AMS ensures all the touch points can be easily secured.

Secure appliances being deployed at remote sites enables visibility and control.

The diagram shows that the AMS Controller is secured in the operations headquarters. 

AMS Appliances operate in the outsourced manufacturing sites. AMS Appliances communicate with the local automated test equipment (ATE) in the production facilities. 

The AMS Agent runs inside the manufacturing test program installed in the ATEs at the manufacturing sites.

The Asset Control Core is an optional IP block built into an ASIC chip (or FPGA), which acts as a feature and key lockbox. Adding the Asset Control Core and provisioning it via the AMS system provides an extremely high level of end-to-end manufacturing and feature provisioning security.  AMS also works with a wide range of key storage methods beyond ACC, of course.

Using AMS provides many benefits to manufacturers across automotive, IoT, and other segments as noted in the chart. 

AMS anchors trust by guaranteeing that devices are secure at every step in the supply chain, and that is where end-to-end security starts.

Tuesday, January 31, 2017

Thank You to QNX Partners for a Wonderful CES

By Romain Saha
Strategic Alliances Manager
Blackberry QNX

It has been a few weeks since the 2017 Consumer Electronics Show. As with previous shows, BlackBerry QNX displayed industry-leading automotive technology in its booth. QNX  unveiled not one, but two concept cars - a Jaguar XJ, which showcased a unified cockpit experience, and a self-driving Lincoln MKZ, both of which were well-received by customers and media alike.

But we could not have reached this stage alone.

What may not be obvious is the incredible investment BlackBerry QNX and our ecosystem make in developing advanced technology demonstrations. In some cases, ecosystem partners work alongside BlackBerry QNX as key contributors. In other cases, ecosystem partners develop independent demonstrations integrating their technology along with QNX’s technology.

In every case, our partners’ dedication and hard work to turn ideas into reality is greatly appreciated.

At CES, for example, Livio, Qualcomm, Renesas, and Texas Instruments (TI), Polysync, University of Waterloo all helped showcase QNX’s technology innovations.

Livio hosted a demo of SmartDeviceLink (SDL) running on the QNX Platform for Infotainment. Pioneered by Ford, SDL allows seamless connectivity between smart phones and infotainment systems. In their private suite, TI demonstrated not one, but two instances of the QNX Platform for Infotainment running on their processor hardware. 

Meanwhile, Renesas took people for test rides in the autonomous Lincoln MKZ they developed together with BlackBerry QNX. The deep level of collaboration required to achieve this is a true testament to the partnership, which generated overwhelmingly positive feedback. The University of Waterloo and Polysync contributed valuable technology to the Lincoln MKZ.

QNX -based digital instrument clusters were also well represented at CES this year. In their concept Maserati Quattroporte, Qualcomm demonstrated a digital instrument cluster based on the soon-to-be-released 64-bit version of QNX’s OS also known as, SDP 7.0.

Our User Interface partners had great demos. At the Luxor hotel, DiSTI Corporation assembled an impressive collection of demos, with clusters running on Intel, Renesas and TI silicon. DiSTI teamed with CoreAVI to demonstrate a top-to-bottom BlackBerry QNX based safety critical cluster.

Rightware Kanzi was used in the digital cluster of the QNX’s Jaguar XJ concept car. This demonstration also displayed Kanzi Connect, which allowed drivers to personalize their dashboard interface in real-time using their smartphone.

CES 2017 was a tremendous success for BlackBerry QNX, thanks in no small part to the dedication of our partner ecosystem. Our partners help us offer more complete systems to customers and we thank them for their steadfast and incredible support. It is through such relationships that we can expand our ecosystem to the benefit of the industry.


Thursday, January 5, 2017

BlackBerry QNX’s self-driving Lincoln MKZ – what’s under the hood?

Kerry Johnson
Sr. Product Manager
BlackBerry QNX

At CES 2017, BlackBerry-QNX unveiled its self-driving Lincoln MKZ. 

In years past , BlackBerry QNX has become known for displaying its innovative technology in its concept cars, which included infotainment, mobile device connectivity, digital instrument clusters and ADAS. This year BlackBerry QNX has outfitted a Lincoln MKZ to demonstrate a self-driving vehicle. The Lincoln MKZ is much more than a demonstration vehicle – it is an engineering prototype that allows BlackBerry QNX engineers to experiment with and develop new technologies for the autonomous vehicle market.

You may wonder why BlackBerry QNX chose a Lincoln MKZ for its autonomous driving car. The reason is straight forward. The 2017 Lincoln MKZ comes equipped, from the factory, with all the necessary drive-by-wire capabilities. All of the driving systems (throttle, gearbox, steering and braking) can be completely controlled electronically. By using this capability as a starting point, BlackBerry QNX and its partners are able to focus on adding other self-driving capabilities such as the sensors, route planning, and maneuvering.

While providing the foundational software, BlackBerry QNX did not build this self driving vehicle alone. We worked closely with Renesas, University of Waterloo, Polysync and Cogent, to put the car on the road.

The following is a brief walkthrough of the technologies inside the Lincoln MKZ:

BlackBerry QNX
BlackBerry QNX’s goal was to build an autonomous vehicle using commercial embedded processors and safety certified embedded operating system (OS). At the core of the design was QNX’s safety certified OS, which powers all of  the intelligent software modules. QNX’s middleware serves to integrate RADAR, LIDAR sensors , multiple camera inputs and vehicle networking. BlackBerry QNX provided a port of the OpenCV library to help with the vision processing functions delivered by Cogent. 

BlackBerry QNX also provided a port of Robot OS (ROS), so that the University of Waterloo could easily bring their self-driving software algorithms to the car without having to re-write large portions of code.

The ROS software components are not truly embedded, production oriented software. However, in building an autonomous car we chose a phased approach. We chose to use existing software to test and validate the solution. This saves time and allows flexible prototyping. Once the code is finalized we can convert it into an embedded solution.   

University of Waterloo
The University of Waterloo, one of Canada’s leading autonomous driving research institutions, contributed several software components, including static and dynamic environment perception, path planning, maneuvering and dispatching control commands to the various actuators. It should be noted that, at the outset of the project, the University of Waterloo already had a number of these components operational. Part of the activity was to port the software from Linux to QNX – a task made simple by BlackBerry QNX’s support for the POSIX standard.

Polysync provided their framework for distributed communications and sensor integration. They also provided system data visualization tools, so the engineers could see how the system was operating from a central console.

Cogent provided a number of vision processing algorithms that processed input from multiple camera sensors.

The compute horsepower in the Lincoln MKZ comes from two Renesas R-Drive reference boards. Each Renesas R-Drive board has two Renesas R-Car system on chips (SoCs), each with quad-core ARM processors and image processing accelerators. Two R-Drive systems were used so that fail-over scenarios could be tested.

The following sensors were used to construct a 360-degree view of the surroundings and to achieve accurate positioning of the car:
  • 1 Delphi long range radar
  • 1 Delphi short & medium range radar
  • 2 Velodyne LIDARs
  • 1 forward-facing Point Grey camera
  • High precision GPS and IMU (Inertial Management Unit)
The car is now running on a test track.  In the following years BlackBerry QNX will continue to refine the system towards production oriented hardware and software.