Method for securing communication between two communication partners of a vehicle ecosystem

Abstract

The invention relates to a method for continuing to secure the communication between two communication partners of a vehicle ecosystem after a post-quantum threat (PQ) has occurred, for which purpose a key is exchanged between the communication partners by means of an authenticity-protected communication prior to the occurrence of the post-quantum threat (PQ). The invention is characterized in that a hybrid key encapsulation method is used for the exchange of the key, by means of which a conventional key and a post-quantum-resistant key are exchanged, from which a hybrid key is then formed by means of a derivation rule, wherein after the exchange of the two key components of the hybrid key, the option to exchange is locked or deleted.

Description

[0001] Mercedes-Benz Group AG

[0002] Methods for securing communication between two communication partners in a vehicle ecosystem

[0003] The invention relates to a method for securing communication between two communication partners of a vehicle ecosystem beyond the time of occurrence of a post-quantum threat, according to the type defined in more detail in the preamble of claim 1.

[0004] Generally speaking, modern vehicles, and in particular passenger cars and commercial vehicles, are part of a large vehicle ecosystem. A central part of this ecosystem is the so-called backend. This is an external server, usually operated by the vehicle manufacturer. The vehicles, or rather their control units, are connected to this external server via the internet. Communication between this backend and the vehicles is typically secured using cryptographic methods to protect the privacy of the vehicle user and to prevent external interference with data traffic. Such interference, especially with data related to vehicle control, could be exploited by hackers to attack the vehicles and manipulate critical functions.

[0005] Common practice involves the use of asymmetric keys or methods based on asymmetric cryptography. These are typically used in the form of so-called TLS (Transport Layer Security), and sometimes IPSec (Internet Protocol Security), which in turn utilize conventional asymmetric methods, such as RSA based on prime factorization or the discrete logarithm problem with elliptic curves (ECDLP).

[0006] Patent DE 10 2009 037 193 B4 describes a system and a method for carrying out an exchange of a so-called hybrid key between a vehicle and a server external to the vehicle in order to operate the data connection accordingly in a cryptographically secured manner, i.e. with encryption and / or authentication, even in the event of a post-quantum threat.

[0007] The typically used asymmetric cryptographic methods for key exchange, such as ECC or RSA, have the advantage of offering relatively secure protection with minimal effort, according to current standards. However, all these methods rely on cryptographic algorithms whose security is considered insufficiently robust against quantum computers. Due to the way they compute, quantum computers are capable of cracking asymmetric cryptographic methods and decrypting protected data within a very short time. The cryptographic security methods typically used for communication between the vehicle and the backend, especially for encryption and / or authentication, are then no longer considered sufficiently secure.This so-called post-quantum threat has so far been a rather theoretical one, as quantum computers were still considered purely research instruments and could only be realized with very high financial investment. However, the development of quantum computers has accelerated significantly in recent years. Therefore, from today's perspective, it is no longer possible to reliably predict that sufficiently powerful quantum computers will not be commercially available on the market in the coming years.

[0008] Vehicles entering the market today will typically remain on the road for 10 to 15 years. This means that the post-quantum threat—the potential for commercially available quantum computers to easily crack conventional cryptographic security at a later date—is already relevant for vehicles being delivered today. This includes vehicles that were produced in the past. Communication between a vehicle's communication device and an external server, currently secured using cryptographic protocols mostly based on RSA or ECC, would no longer be secure with the emergence of this post-quantum threat. Therefore, from today's perspective, secure communication cannot be guaranteed for the entire expected lifespan of the vehicles. To address the post-quantum threat, the

[0009] DE 10 2020 001 199 A1 describes a communication unit for a vehicle, designed to operate in either a first or a second mode. The modes differ in the type of cryptographic data protection, such as the authentication and / or encryption methods. In the first mode, conventional asymmetric methods are used for data cryptographic protection. This pre-quantum mode can currently be used with conventional security measures. The second mode is intended for communication after the onset of a post-quantum threat. It utilizes either cryptographic security based on purely symmetric methods, which, according to current understanding, offers greater resistance to post-quantum threats, or security using algorithms that are resistant to post-quantum threats. These approaches are known as post-quantum cryptography or PQC.However, such PQC approaches for second-mode communication are still not fully mature and standardized. Therefore, incorporating them into control units now is complex and carries a certain risk regarding their actual reliability after the onset of the post-quantum threat.

[0010] WO 2022 / 167201 A1 addresses this problem by implementing, or retrofitting via a software update, an interface through which post-quantum-resistant keys can be exchanged at a later date, but still before the post-quantum threat materializes. However, securing this interface is also complex, as reliable cryptographic encryption is necessary in addition to the integrity- and authenticity-protected security measures.

[0011] To ensure the necessary or desired protection of products beyond the emergence of post-quantum threats, they must be enhanced using post-quantum cryptography. However, these specialized algorithms require specific key material that is not currently present in the products. Therefore, the key material must be retrofitted into the product. Generally, two methods are available for this. The first method involves incorporating it in a secure environment (e.g., a production environment). In practice, however, this method will hardly be relevant for existing products, as it will primarily involve retrofitting. The primary (second) method will therefore be retrofitting in an insecure environment, such as a workshop, or over the air (OTA - Over The Air).This method is secured by cryptographic algorithms that are considered secure at the time of transmission. Since the information transmitted in the last point must be protected for a period that, by definition, extends into the post-quantum era, the sole use of classical cryptographic algorithms is not feasible. The security measures must therefore include the post-quantum scenario when selecting algorithms. Thus, the last point is circular, as it already requires the use of post-quantum cryptography to introduce the new key material. Therefore, retrofitting existing products is not possible.

[0012] The publication by Ricci, Sara et al.: Hybrid keys in practice: Combining classical, quantum and post-quantum cryptography. In IEEE Access, Vol. 12, 2024, pp. 23206-23219. ISSN 2169-3536. https: / / ieeexplore.ieee.org / stamp / stamp.jsp?tp=&arnumber=10430098 describes the basic use of hybrid key encapsulation methods.

[0013] The object of the present invention is to provide an improved method for securing communication between two communication partners of a vehicle ecosystem, which also enables reliably secured communication in the event of the occurrence of the post-quantum threat and thus solves the circular argument.

[0014] According to the invention, this problem is solved by a communication device for a vehicle having the features of claim 1, and in particular those of the characterizing part of claim 1. Advantageous embodiments and further developments of the communication device are described in the dependent claims.

[0015] In the method according to the invention, similar to the prior art mentioned above, a key is exchanged between the communication partners by means of authentication-protected communication before the onset of the post-quantum threat. According to the invention, a hybrid key encapsulation method is used for the key exchange, whereby a conventional key and a post-quantum-resistant key are exchanged, and a so-called hybrid key is derived from these. Thus, a hybrid key encapsulation mechanism (KEM) is used. This is a cryptographic technique with which a session key, which in the conventional sense is usually intended for use with a symmetric method such as AES, is transmitted using an asymmetric encryption method (for example, RSA).Participant A uses an encapsulation algorithm to generate a secret session key and a ciphertext from participant B's public key. This ciphertext is then transmitted to B via an unprotected channel. B can then use the decapsulation algorithm and their private key to also recover the secret session key. A hybrid key encapsulation method now uses a post-quantum-resistant approach, such as CRYSTALS Kyber (NIST: ML-KEM), in parallel with the conventional / classical approach, such as Diffie-Hellman. This key encapsulation method thus ensures confidentiality in both worlds, i.e., both before and after the onset of a post-quantum threat.

[0016] Based on the two generated session keys, a hybrid key is then created using a derivation procedure. The algorithms for deriving hybrid keys combine a classical key, which is already considered secure today, with a post-quantum algorithm to generate a key that remains secure even after the emergence of a post-quantum threat.

[0017] The post-quantum keys are thus doubly protected, once by a classical algorithm and once by a post-quantum algorithm. The inventive method avoids the problem of circular reasoning by protecting only the confidentiality of the post-quantum key being introduced and not ensuring its integrity or even authenticity in the context of post-quantum cryptography. Classical algorithms can ensure integrity and authenticity, but cannot maintain this protection in a post-quantum future. However, this is not necessary, since the import and thus the derivation take place in pre-quantum time, and the assurance provided by classical algorithms is therefore sufficient.

[0018] After the two keys have been exchanged, the possibility of further exchange is locked or deleted. This procedure ensures that post-quantum keys can only be imported once to prevent overwriting by an attacker in the post-quantum era. This can be achieved either by using a "write-once-read-many" memory area or by removing the import logic from the software, at least on the vehicle side, which is more vulnerable to third-party intrusion than an OEM backend.

[0019] An advantageous further development of the procedure envisages that the communication partners exchange a retrofit software update via authenticity-protected communication prior to the exchange of keys, establishing the hybrid key encapsulation procedure. The procedure can therefore be retrofitted or updated before the emergence of the post-quantum threat, but after the vehicle has been delivered, for example, if post-quantum-resistant methods and algorithms have been further improved.

[0020] Another highly advantageous embodiment of the method according to the invention can also provide that the communication partners exchange a software update via authentication-protected communication both before the occurrence of the post-quantum threat and after the key exchange, in order to communicate using the hybrid key or a post-quantum key subsequently loaded via it. This also allows for easy retrofitting, as the dependency of the generated keys can still be adjusted. Because the exchange takes place in the pre-post-quantum threat era, it is also possible here to impose high requirements on the software's authenticity if necessary, since protection can already be ensured by existing classical cryptography.

[0021] The onset of the post-quantum threat, which will naturally be a rather vague point in time, can be actively initiated for such systems, for example, by setting a state value (flag) in the backend. Subsequently, according to an advantageous design, communication after the onset of the post-quantum threat can then take place using cryptographic security via the hybrid key. This requires no additional effort; the hybrid key with its classical and post-quantum-resistant encryption can simply continue to be used.

[0022] According to an alternative, advantageous embodiment, a post-quantum-resistant key could also be loaded via the hybrid key using cryptographic security, which in this case specifically includes encryption. Communication would then take place using this loaded post-quantum-resistant key, also with cryptographic security. Depending on the type of post-quantum-resistant key material available, a simpler and potentially less resource-intensive method could be used, which would place less strain on the already limited resources in a vehicle than always having to use the hybrid key.

[0023] A favorable further development of the procedure envisages that the authenticity-protected communication is cryptographically secured, in particular authenticated, before the onset of the post-quantum threat using a conventional cryptographic method, such as RSA or ECC.

[0024] Further highly advantageous embodiments of the inventive method for securing communication also result from the exemplary embodiment, which is described in more detail below with reference to the figure.

[0025] The only accompanying figure 1 shows a flowchart for a possible implementation of the method according to the invention.

[0026] On a timeline t, two relevant points in time are marked: the present (G) and the beginning of the post-quantum threat (PQ). Between these two points in time, confidentiality and authenticity are ensured by classical cryptographic methods. This is indicated by the double arrow K. After the onset of the post-quantum threat, a post-quantum-resistant key material must be used, which is indicated by the right-pointing arrow with the abbreviation P.

[0027] Starting from the present state G, a software update for retrofitting key exchange via the hybrid KEM is downloaded in a first step A. This step is authenticated, and conventional or classical methods are sufficient here, as we are still before the onset of the post-quantum threat PQ. Subsequently, in step B, a key exchange takes place, in which a conventional key and a post-quantum-resistant key are exchanged. For the conventional key, a Diffie-Hellman method, such as ECDH (Elliptic Curve Diffie-Hellman), can be used. For the post-quantum-resistant key, a key encapsulation method such as CRYSTALS Kyber can be used.A derivation rule, which may have been initially stored or, in particular, may have been introduced via the software update, then creates the same hybrid key from both previously mentioned key parts for both communication partners.

[0028] Once this hybrid key is available, a tamper-proof locking or deletion of the hybrid key element (KEM) takes place in step C. Additionally, the hybrid key can be stored in a tamper-proof memory. This prevents the exchange of another key after time PQ. The authenticity of this new key would no longer be guaranteed in the post-quantum time, and an attacker could thus introduce their own key.

[0029] In principle, the hybrid key could now be used directly to secure communication, but in practice it is usually better to use it to protect the confidentiality of a subsequently loaded pure post-quantum key (PQC - Post-Quantum Cryptography) during its transmission. This post-quantum key can then be used to secure further communication using post-quantum algorithms.

[0030] The final step D of the procedure before the onset of the post-quantum threat (PQ) requires the retrofitting of software logic to utilize the exchanged post-quantum key. This can be implemented through normal software update procedures. If requirements are placed on the software's authenticity, the software update must take place in the pre-quantum era. This ensures protection through existing classical cryptography.

[0031] After steps A to D, the procedure is now prepared for the arrival of the post-quantum threat (PQ). In the subsequent step E, the post-quantum keys are then used exclusively for communication.

[0032] Existing systems can easily be retrofitted with this method for safe operation even after the onset of the post-quantum threat (PQ).

Claims

Mercedes-Benz Group AG Patent claims 1. Procedure for securing communication between two Communication partners of a vehicle ecosystem beyond the point in time of the occurrence of a post-quantum threat (PQ), for which a key is exchanged between the communication partners before the occurrence of the post-quantum threat (PQ) by means of authenticity-protected and encrypted communication, characterized in that a hybrid key encapsulation method is used for the exchange of the key, by means of which a conventional key and a post-quantum resistant key are exchanged, from which a hybrid key is then formed by means of a derivation rule, wherein after the exchange of the two keys the possibility of exchange is locked or deleted.

2. Method according to claim 1, characterized in that the communication partners exchange a retrofit software update prior to the exchange of the key via the authenticity-protected communication, which establishes the hybrid key encapsulation method.

3. Method according to claim 1 or 2, characterized in that the functions of the retrofit software update are deleted after the key is replaced, at least on the vehicle side.

4. Method according to any one of claims 1 to 3, characterized in that the hybrid key is immutably stored in a memory with a write-once-read operation. Many functions are stored there.

5. Method according to one of claims 1 to 4, characterized in that the communication partners exchange a software update via authenticity-protected communication both before the occurrence of the post-quantum threat (PQ) and after the exchange of keys in order to reload software logic which allows communication via the hybrid key.

6. Method according to one of claims 1 to 5, characterized in that communication after the occurrence of the post-quantum threat (PQ) takes place by means of cryptographic security via the hybrid key.

7. Method according to one of claims 1 to 5, characterized in that a post-quantum-resistant key is loaded via the hybrid key by means of a cryptographic safeguard, which here in particular comprises encryption, after which communication takes place by means of a cryptographic safeguard via the post-quantum-resistant key.

8. Method according to one of claims 1 to 7, characterized in that the authentication-protected communication is cryptographically secured, in particular authenticated, before the occurrence of the post-quantum threat by means of a conventional cryptographic method, such as in particular RSA or ECC.

Images