Hardware-based security is an important topic, especially in view of phrases you have probably heard before: "The world runs on software", or the somewhat more negative connotation "Software is eating the world". This may certainly have been true in the 10s of this millennium, and it still is today, more than ever even: we find ourselves in an unmanageable jumble of software, updates, upgrades, in ever shorter cycles. New software replaces old software, and security remains a tightrope act for the end user, but also and especially for large enterprises. Entire departments are dedicated to the topic of security, and modern mathematics and data science promise us the highest possible security within the framework of cryptography. But where there is software, there are also hackers lurking. For a long time now, it has not only been about private pictures, documents or even customer data - especially in the automotive sector, it is about driver safety, about absolute reliability for vital functions. It is in the nature of all software to be fundamentally vulnerable to criminal energy that adapts to changing software times and seeks - and finds - exploits.
Cloud IT Professional
Ca. 8 min
Hardware Based Security – Why Cryptography Cannot Be the Savior
Of course: modern encryption methods help, well, to be secure. The problem, however, is that cryptography works with keys – strong algorithms, such as Elliptic Curve Cryptography (EEC), make life difficult for attackers and sometimes make the profession impossible. However, keys are usually embedded in the software. Once the system is compromised, so is the key, and so is the encrypted data.
This is where hardware-based security finally comes into play: Instead of managing the key material in the software, it is stored in a hardware security module (HSM) that is specially protected against external access. HSMs are always needed where increased protection is required. This can be the case anywhere in a company’s application landscape, from sales to product data management.
All too often, however, there are no security experts in these very departments. Which connector belongs where, which pin, which software, which ECU, to stay explicitly in the automotive environment?
Why Cognizant Mobility is the right partner in the area of hardware-based security
Cognizant Mobility has been active in the field of hardware-based security since 2016 and is one of the absolute preferred partners in this area, having already won several tenders with well-known manufacturers, such as the work on BMW’s automotive security backend center. This was achieved thanks to a high level of expertise – and an awareness of the niche in the field of hardware-based security. Pen testing can also be done by others – but Mobility knows how to use algorithms correctly and integrates them in such a way that a secure application can result.
Of course, development does not stand still either. In order to make applications secure for the threats of tomorrow, novel algorithms developed at universities (e.g., post-quantum cryptography) are already being taken into account in application development today, for example, to be able to secure new generations of control units.
Let’s be clear about this: in conjunction with safety , the topic of functional safety, also a core competency of Cognizant Mobility, an important – a good keyword for automotive manufacturers here would be chip tuning: new software has to be installed, that’s unavoidable, but of course this should only be possible for the car manufacturer. Thanks to hardware-based security, it is possible to “sign” the software exclusively with a special key. The control unit checks this key and only if it knows it and the signature is valid, the software is uploaded. A process that also plays an important role in Robotic Process Automation. Updating and further developing existing applications and integrating new algorithms and HSMs is one of the main tasks of Hardware Based Security, which Cognizant Mobility has been performing since 2016 – successfully, as evidenced by recent and successfully won tenders for large and well-known manufacturers.
Hardware Based Security in the Cloud – Cryptography of the Modern Age
Don’t worry – we are by no means planning to cryptograph the modern age. But your data. And where hardware-based security previously took place “on premise”, i.e. self-hosted, on its own servers in the data center, Cognizant Mobility is currently in the process of moving these applications to the AWS Cloud (Amazon Web Services). Sure – this process is complicated, because the previous process in hardware-based security has been proven for a long time, which is why large manufacturers such as BMW continue to rely on it, but this involves a lot of effort for setup and maintenance. In return, AWS offers managed hardware support for cryptography, specifically called the Cloud HSM Hardware Security Module. Even if this currently only masters a small part of the algorithms used, its appeal lies in the simple setup and integration, bundled with the advantages of the cloud such as availability and speed. While novel post-quantum algorithms are not currently available in the cloud, most standard algorithms are available, and the bulk of requests can be easily processed.
Dreams of the future: What possibilities does hardware-based security offer?
Secure boot in particular is an issue that Mobility always keeps an eye on. As in the BIOS of a normal computer, Secure Boot has a fuse that itself detects changes in the boot loader, for example triggered by a virus, and prevents the operating system from booting. Secure Boot works on the same principle for the control unit, which is cast into the hardware. The ECU checks the cryptographic signature of the boot loader, which in turn checks all subsequent boot days until the ECU software has started. And that is extremely important – so unauthorized access and manipulation are detected – and averted.
Cognizant Mobility, with its experts around Sebastian Huber, has been researching these processes from the very beginning and is therefore one of the most experienced providers on the automotive market in terms of solutions, development and maintenance in the area of hardware-based security. This is how we succeed in promising – and delivering – a secure tomorrow for your applications, too. Solutions on site, made in Germany, in Isar Valley: This is how security works. Hardware-based, future-oriented, secure. For sure.