DE102006006109A1 - Method for tamper protection of a control device and protected against tampering control device - Google Patents

Abstract

A method for manipulation protection of a control device, in particular an engine control device, with a microcontroller and a non-volatile memory provided separately from the microcontroller, which is in particular designed as a flash memory, comprises: Encrypting unencrypted characteristic information relating to the non-volatile memory by means of an asymmetrical encryption method and memories the encrypted characteristic information in the non-volatile memory; - Transmission of the information stored in the non-volatile memory to the microcontroller; - Decryption of the transmitted information by the microcontroller; and comparing the decrypted information with the unencrypted characteristic information. Furthermore, a control device protected against manipulation is provided.

Description

STATE OF TECHNOLOGY

The The present invention relates to a tamper-resistant controller with a microcontroller and an external flash memory, as well as a method for tamper protection such a control unit.

Control engine control units the functions of a motor vehicle, such as fuel injection, ignition timing, Immobilizer, etc. The engine control unit has a microcontroller, which executes a predetermined program and a memory, for example, certain vehicle parameters used in this program or the like are stored. By manipulating the memory in this stored data, it is possible, for example, the performance of the motor vehicle increase (so-called tuning), which at the same time to increased Safety risks in road traffic leads and therefore from the manufacturer, also with regard to clear contingent liabilities, undesirable is. There is therefore a need for protection against such manipulation.

One known protection against manipulation can be achieved by that the microcontroller is equipped with an internal flash memory, and other protective measures, such as. the use of passwords for reading, deleting or programming, be used. However, this is due to the necessary flash technology with increased Costs connected, so that a solution without internal flash is preferable.

in the Case of an external (ie not integrated in the microcontroller) Flash memory, however, various attacks are conceivable. For example An attacker can manipulate an external flash memory against you Replace flash memory. In practice this turns out to be relatively simple, since the pin number of the external flash memory is relatively low is and therefore the case relatively small, so that a desoldering comparatively unproblematic is.

One further possible Attack is the ones stored in the external flash memory To change data through direct access. Modern flash components can usually programmed in the installed state (ie without desoldering) become what the attack possibilities simplified. A possible Protection against such an attack would be to gain access to the Flash memory in the installed state completely forbid. Indeed it is advantageous to allow an authorized group of users to to access the flash memory, for example, a reprogramming of the control unit or an update of the stored in the flash memory To be able to make data.

When potential Protection against such an attack is disclosed in the US patent 6,138,236 a PROM memory for initializing a computer system, the PROM memory has a programmable data area and an authentication area with a hash generator. Of the Hash generator generates a hash value of the in the programmable data area present code, and the authentication area authenticates the Code using this hash value. However, there is also the here possibility the first attack, namely Replacement of the entire PROM memory, allowing comprehensive protection without further protective measures can not be guaranteed can.

ADVANTAGES OF INVENTION

• – Verschlüsseln von unverschlüsselten charakteristischen Informationen bezüglich des nichtflüchtigen Speichers mittels eines asymmetrischen Verschlüsselungsverfahren und Speichern der verschlüsselten charakteristischen Informationen im nichtflüchtigen Speichers;
• – Übermitteln der im nichtflüchtigen Speicher gespeicherten Informationen an den Mikrocontroller;
• – Entschlüsseln der übermittelten Informationen durch den Mikrocontroller; und
• – Vergleichen der entschlüsselten Informationen mit den unverschlüsselten charakteristischen Informationen.

Accordingly provided is a method for manipulation protection of a control device, in particular of a motor control device, with a microcontroller and a non-volatile memory provided separately from the microcontroller, which is designed in particular as a flash memory, with the following steps:

• - encrypting unencrypted characteristic information relating to the nonvolatile memory by means of an asymmetric encryption method and storing the encrypted characteristic information in the nonvolatile memory;
• Transmitting the information stored in the non-volatile memory to the microcontroller;
• Decrypting the transmitted information by the microcontroller; and
• Comparing the decrypted information with the unencrypted characteristic information.

Under "unencrypted Information " this understood information that is not yet with the asymmetric encryption method encoded are; it can be at the unencrypted information so to act on information that is otherwise coded.

A control device protected against manipulation according to the invention comprises:
a non-volatile memory comprising a memory area in which characteristic information relating to the non-volatile memory is encrypted with a private key of a key pair for asymmetric encryption; and
a microcontroller connected to the nonvolatile memory via a data line, and ei ROM in which the public key of the key pair for asymmetric encryption, and a program for decrypting encrypted with asymmetric encryption data are stored.

Of the The idea underlying the invention is to be characteristic Information regarding of the non-volatile Memory (typically a flash memory) to encrypt and in non-volatile Store memory. While In operation, this information is then read out by the microcontroller. decrypts and with the unencrypted Information compared. If there is a difference, then that is a strong indication that one of the building blocks or the information stored therein were manipulated.

The For example, characteristic information can be the serial number of non-volatile memory be. Thus, protection against replacement of the non-volatile Memory can be achieved. It is advantageous that the characteristic information further include the serial number of the microcontroller. This allows the nonvolatile Memory and the microcontroller are paired with each other, so that protection against the replacement of one of these two building blocks is achieved.

The However, characteristic information can also be a hash value from in non-volatile Memory stored data. Thus, a protection against manipulation in the non-volatile Memory stored data reached.

at Determining inequality of decrypted information and the unencrypted Characteristic information can be an error reaction, in particular a reset, executed become.

It is beneficial if the key to decrypt the information through the microcontroller in a ROM memory the microcontroller is stored as this is the key Tampering protects.

• – Verschlüsseln von Daten durch den Mikrocontroller;
• – Speichern der verschlüsselten Daten im nichtfüchtigen Speicher;
• – Auslesen der im nichtflüchtigen Speicher gespeicherten Daten durch den Mikrocontroller;

und

• – Entschlüsseln der ausgelesenen verschlüsselten Daten durch den Mikrocontroller. Dadurch wird ein Schutz gegen das Kopieren bzw. Klonen von sicherheitsrelevanten oder sensitiven Daten im nichtflüchtigen Speicher erreicht. Hierbei ist es vorteilhaft, dass das Verschlüsseln und Entschlüsseln von Daten durch den Mikrocontroller mit einem symmetrischen Verschlüsselungsverfahren durchgeführt wird, da ein symmetrisches Verschlüsselungsverfahren nicht nur schneller sondern auch einfacher zu implementieren ist als ein asymmetrisches Verschlüsselungsverfahren.

In an advantageous development of the invention, the following steps are also provided:

• - Encrypting data by the microcontroller;
• - storing the encrypted data in the non-volatile memory;
• - reading the data stored in the non-volatile memory by the microcontroller;

and

• - Decrypting the read encrypted data by the microcontroller. This provides protection against the copying or cloning of sensitive or sensitive data in the non-volatile memory. In this case, it is advantageous that the encrypting and decrypting of data by the microcontroller is carried out with a symmetrical encryption method, since a symmetrical encryption method is not only faster but also easier to implement than an asymmetric encryption method.

In an advantageous development of the invention is the key to encode and decrypting of data through the microcontroller as a combination of programmable Bits and hard-wired bits stored in the microcontroller. This make it possible, a high key length with high possible variations economical to realize.

DRAWINGS

The Invention will be described below with reference to the schematic figures The drawings specified embodiments explained in more detail. It shows attended:

1 a schematic diagram of a control device according to an embodiment of the present invention.

2 a flowchart of a first method according to an embodiment of the present invention.

3 a flowchart of a second method according to an embodiment of the present invention.

DESCRIPTION OF THE EMBODIMENTS

In all figures of the drawing are the same or functionally identical elements - if nothing else is indicated - with the same reference numerals have been provided.

1 shows a schematic diagram of a control unit 1 according to an embodiment of the present invention. In the present embodiment, the controller is 1 designed as an engine control unit, which controls the functions of a motor vehicle, such as fuel injection, ignition timing, immobilizer, etc., controls. The engine control unit 1 has a microcontroller 2 as well as one separately from the microcontroller 2 provided nonvolatile memory, in particular as a flash memory 3 is trained. The microcontroller 2 is via a data line 4 with the Flash memory 3 connected. The microcontroller 2 is also connected via a not-shown interface and a data bus (for example, a CAN bus) to various sensors and actuators of the vehicle (eg, tachometer, fuel injection, etc.).

The microcontroller 2 has a non changeable serial number 5 and the flash memory 3 has a non changeable serial number 6 , These can be realized for example by a fixed wiring in the respective blocks, so that a manipulation of these serial numbers is not possible. The serial numbers are typically 123 bits long and are not freely programmable or changeable. Furthermore, they are uniquely assigned to the blocks, that is, there are not several blocks with the same serial numbers. This is achieved, for example, by the serial numbers containing information about the production number, the production date, the wafer number and / or the position of the chip of the respective component on the wafer.

The microcontroller 2 contains a ROM memory area 10 , a RAM memory area 11 as well as a central processor device (CPU) 12 which one in ROM 10 stored program executes. In the ROM 10 is also a key 9 for decrypting data encrypted by an asymmetric method. A program for decrypting data with the key 9 is also in ROM 10 stored. As an asymmetric encryption / decryption method, for example, an implementation of the RSA algorithm is suitable.

The flash memory 3 contains a memory area 20 in which various data are stored, such as a boot code 21 , a program code 22 and a record 23 (Contains, for example, vehicle or engine parameters). The boat code 21 , the program code 22 and the record 23 are secured by respective signatures SIG21, SIG22 and SIG23, as explained below. The in flash memory 3 stored data is in operation via the data line 4 to the microcontroller 2 transmitted and used by this for controlling the motor vehicle. The data stored in flash memory 3 can be updated in a relatively simple manner by authorized site (eg by the manufacturer), without any replacement of the entire control unit 1 necessary is.

At the in 1 various types of attacks are conceivable with which an unauthorized party could attempt to save the data in flash memory 3 to change, for example, by replacing the flash memory 3 or by reprogramming the flash memory 3 in the installed state. An attacker could also try in flash memory 3 stored safety-relevant or sensitive data. These attacks are prevented according to the invention by the methods described below.

2 shows a flowchart of a first method according to an embodiment of the present invention. This first method prevents the data from being stored in flash memory 3 be manipulated by that the flash memory 3 completely replaced (ie replaced and replaced by another flash memory). This is done by a pairing of microcontroller 2 and flash memory 3 about their serial numbers 5 . 6 reached.

In a step S1, the respective serial numbers are factory-set 5 and 6 from the microcontroller 2 and the flash memory 3 read and stored in a memory of a (not shown) terminal or programming station.

In the following step S2, the serial numbers 5 and 6 concatenated (ie, hung together) and with an encryption key 8th encrypted. Where is the encryption key 8th Part of a key pair 8th . 9 for an asymmetric encryption method. The encryption key 8th is a secret key, which is known only at the factory, while in ROM 10 of the microcontroller 2 stored decryption keys 9 a public key that does not need to be kept secret.

These are the serial numbers 5 and 6 unencrypted information regarding the flash memory 3 : The serial number 6 is the serial number of the flash memory 3 while the serial number 5 the serial number of the device is the flash memory 3 is clearly associated. The encryption by the key 8th obtained encrypted characteristic information is hereinafter referred to as certificate 7 designated.

In step S3, the certificate becomes 7 factory in the storage area 20 of the flash memory 3 saved, which completes the factory-executed part of the process.

In step S4, the certificate becomes 7 from the flash memory 3 over the data line 4 in the RAM memory area 11 of the microcontroller 2 read. This step S4 may be performed, for example, every time the vehicle is started.

In step S5, the certificate becomes 7 with the decryption key 9 of the key pair 8th . 9 decrypted and separated into two serial numbers.

Finally, in step S6, it is checked whether the decryption with the key 9 serial numbers are identical to the serial numbers 5 and 6 which yes the microcontroller 2 are directly accessible.

Are those by the decryption with the key 9 received serial numbers identical to the serial numbers 5 and 6 , then it means that the flash memory 3 has not been exchanged and thus the data stored therein can be trusted. In this case, the procedure jumps to step S7, in which parameters and other data from the flash memory 3 be loaded into the RAM memory of the microcontroller for further processing.

Are those by the decryption with the key 9 received serial numbers are not identical to the serial numbers 5 and 6 , then it means that the flash memory 3 has been exchanged and the data stored therein may have been manipulated. In this case, the procedure jumps to step S8 in which an error reaction (reset) is performed and, for example, in the ROM memory of the microcontroller 2 stored default instead of the parameters and data in flash memory 3 into the RAM memory of the microcontroller 2 getting charged. Alternatively, a warning signal can be output, indicating that the flash memory 3 was manipulated. This warning signal can then be further processed, for example, in a step not shown in more detail so that an immobilizer is activated, which causes the motor vehicle can not be started if the flash memory 3 was manipulated.

By the method described above is achieved during the program runtime or when starting the controller 1 the encrypted serial numbers (characteristic information) with the key 9 (Public-Key) decrypts and with the serial numbers of the actual in the control unit 1 be verified installed components. By using an asymmetric encryption / decryption method it is ensured that with the control unit 1 stored information, only the decryption of the characteristic information can be performed, but not an encryption that could make a pairing of components. Thus, the key used for decryption needs 9 not to be kept secret.

The method steps S4 to S7 are implemented by a microcontroller 2 saved program realized. It is advantageous if this program in the ROM memory of the microcontroller 2 is stored. Thus it can be ensured that the program itself is not manipulated. For the same reason, it is also advantageous, though the decryption key 9 in the ROM memory of the microcontroller 2 is stored. Since no complex manufacturing steps are necessary for a ROM, this solution is also cost-effective.

It should be noted that in the embodiment described above, both the serial number 6 of the flash memory 3 as well as the serial number 5 of the microcontroller 2 used for mating flash memory and microcontroller. However, it is also possible that only the serial number of the flash memory as a certificate 7 is stored encrypted. In this case, protection against replacement of the flash memory is realized. However, it is preferable that both the serial number of the flash memory and the serial number of the microcontroller as a certificate 7 be stored encrypted, since then a clear match between flash memory and microcontroller is given, so that protection against the replacement of the microcontroller is guaranteed.

3 shows a flowchart of a second method according to an embodiment of the present invention. This second method will prevent the flash memory 3 stored data can be manipulated. This is achieved by having the data in flash memory 3 secured by signatures.

First, the data to be stored in the flash memory are provided with a signature at the factory. For this purpose, in step S1 using a hash function, a hash value of the data to be stored in the flash memory, that is, for example, of the boot code 21 , the program code 22 and / or the record 23 calculated. Hash function here is a non-reversible function (an algorithm) that uniquely maps a large amount of data to a much smaller target set, such as the message digest MD4 or the family of secure hash algorithms SHA. Details of these hash functions can be found, for example, in Bruce Schneier's Applied Cryptography, John Wiley & Sons, 1996.

In step S2, the hash value determined in step S1 is encrypted with the encryption key 8th Encrypted, whereby a signature SIG21, SIG22 and / or SIG23 is obtained.

In step S3, the Si determined in step S2 is determined factory-installed in flash memory 3 saved. It is advantageous if these steps S1 to S3 are for all in flash memory 3 stored sensitive data are performed and, as in 1 shown, both the boot code 21 , the program code 22 as well as the record 23 each with a signature SIG21, SIG22 or SIG23 be provided.

During runtime, the signature to be checked SIG21, SIG22 and / or SIG23 from the flash memory in step S4 3 over the data line 4 in the RAM memory area 11 of the microcontroller 2 read. For example, this step S4 may be performed each time the motor vehicle is started.

In step S5, the signature to be checked with the decryption key 9 of the key pair 8th . 9 decrypted, and thus determines an unencrypted hash value.

In step S6, the microcontroller determines 2 the hash value of the data to be verified in the flash memory 3 , with the same hash function used in step S1. The microcontroller reads this 2 the data to be verified from the flash memory 3 over the data line 4 in the RAM memory 11 and applies the hash function to this data, resulting in hash values of that data.

Finally, in step S7, it is checked whether in step S5 by the decryption with the key 9 obtained hash values are identical to the hash values obtained in step S6.

Are those by the decryption with the key 9 hash values obtained in step S5 identical to the hash values obtained in step S6, then it means that the flash memory 3 has not been tampered with and the data stored therein can thus be trusted. In this case, the procedure jumps to step S8, in which parameters and other data from the flash memory 3 be loaded into the RAM memory of the microcontroller for further processing.

Are those by the decryption with the key 9 In contrast, hash values obtained in step S5 are not identical to the hash values determined in step S6, this means that the flash memory 3 has been manipulated and the data stored therein can not be trusted. In this case, the procedure jumps to step S9, in which an error response (reset) is performed and, for example, in the ROM memory of the microcontroller 2 stored default instead of the parameters and data in flash memory 3 into the RAM memory of the microcontroller 2 getting charged. Alternatively, a warning signal can be output, indicating that the flash memory 3 was manipulated. This warning signal can then be further processed, for example, in a step not shown in more detail so that an immobilizer is activated, which causes the motor vehicle can not be started if the flash memory 3 was manipulated.

By the method described above is achieved during the program runtime or when starting the controller 1 in the flash memory 3 stored data to be verified. Also in this second procedure, by using an asymmetric encryption / decryption procedure, it is ensured that with the control unit 1 stored information, only the decryption of the characteristic information can be performed, but not an encryption that could make a pairing of components. Thus, the key used for decryption needs 9 not to be kept secret.

Another possible attack on the controller 1 may be that the attacker tries to flash in the memory 3 read data stored, and to copy or clone. This is made easier by the fact that the data is in flash memory 3 easy to read.

In an advantageous development of the embodiments explained above, therefore, measures are provided which prevent the detection of secrets. Specifically, this can be done by keeping in flash memory 3 stored data is encrypted and stored this encrypted data from the microcontroller 2 be decrypted.

So if the microcontroller 2 on the flash memory 3 accesses there to store data, then encrypted the microcontroller 2 this data before saving. The algorithm and key for this data encryption are again in ROM 10 stored so that they are protected against manipulation. If in this way encrypted data from flash memory 3 are read out into the microcontroller, then they are first decrypted before they are processed further.

For encryption / decryption, a symmetric encryption / decryption method is preferably used, since such a method is faster than an asymmetric method. In symmetric methods, the key used for encryption is identical to the key used for decryption, so it is advantageous to store this key in a memory area of the microcontroller 2 to save the outside not too is accessible, in other words storing this key read-out protected.

It is desirable that the key for the symmetric encryption has a high key length, because a short key length is vulnerable for like that called "bread-force" attacks in which the attacker the key advises by repeatedly trying. Furthermore, it is desirable that individual keys can be generated and Project- or customer-specific variations are possible. Generally there is the possibility the key in the form of programmable bits, for example as so-called "semiconductor fuses" (OTP bits - "one time programmable bits ") or to provide as hardwired bits.

Of the Advantage of programmable bits is that they have a high variation possibility Offer. variations are especially important when key corrupts, so known became. Programmable bits, however, are relatively expensive and for long key only partially suitable. The advantage of hardwired bits is that they are inexpensive are and therefore for long key lengths suitable are. However, they offer no due to the hard wiring Variations.

According to the invention will now suggested the key through a combination of programmable bits and hardwired To realize bits. Thus, it is possible, cost-effective for each control unit individualized keys to produce with high key length.

there is it cheap For example, if a key length of 16 bytes is about 10% of the Bits as OTP bits ("one time programmable bits ") and the remainder being provided as hardwired bits. To this Way can be realized inexpensively enough variation options with large key length become. For example, if 10 bits of the key are provided as OTP bits, this gives 2 ^ 10 = 1024 possible variations.

It is advantageous if the various measures described above for protection against attacks are combined with one another. In this way, more complete protection against the various types of attacks (ie, for example, replacement of flash memory 3 or the microcontroller 2 , Manipulation of data in flash memory 3 and copying or cloning sensitive data in flash memory 3 ) be achieved.

Claims (15)

Method for manipulation protection of a control device ( 1 ), in particular an engine control unit, with a microcontroller ( 2 ) and one separately from the microcontroller ( 2 ) provided non-volatile memory ( 3 ), which in particular as a flash memory ( 3 ), comprising the following steps: encrypting unencrypted characteristic information relating to the nonvolatile memory ( 2 ) by means of an asymmetric encryption method and storing the encrypted characteristic information ( 7 , SIG21, SIG22, SIG23) in non-volatile memory ( 3 ); Transmission of the information stored in the non-volatile memory ( 7 , SIG21, SIG22, SIG23) to the microcontroller ( 2 ); - Decrypting the transmitted information ( 7 , SIG21, SIG22, SIG23) through the microcontroller ( 2 ); and - comparison of the decrypted information with the unencrypted characteristic information by the microcontroller ( 2 ). A method according to claim 1, characterized in that the characteristic information is a serial number ( 6 ) of the non-volatile memory ( 3 ). Method according to claim 1 or 2, characterized in that the characteristic information is a serial number ( 5 ) of the microcontroller ( 2 ). Method according to one of the preceding claims, characterized in that the characteristic information has a hash value of in the non-volatile memory ( 3 ). Method according to one of the preceding claims, characterized characterized in that upon detection of inequality of the decrypted Information and the unencrypted characteristic information is an error reaction, in particular a reset, executed becomes. Method according to one of the preceding claims, characterized in that a further step for storing the key ( 9 ) for decrypting the information by the microcontroller ( 2 ) in a ROM memory ( 10 ) of the microcontroller ( 2 ) is provided. Method according to one of the preceding claims, characterized in that the following further steps are provided: - Encrypting data by the microcontroller ( 2 ); - storing the encrypted data in the non-volatile memory ( 3 ); - readout in non-volatile memory ( 3 ) stored by the microcontroller ( 2 ); and Decrypt the encrypted data read out by the microcontroller ( 2 ). Method according to Claim 7, characterized in that the encryption and decryption of data by the microcontroller ( 2 ) is performed with a symmetric encryption method. A method according to claim 8, characterized in that the key for encrypting and decrypting data by the microcontroller ( 2 ) as a combination of programmable bits and hardwired bits in the microcontroller ( 2 ) is stored. Tamper-proof control unit ( 1 ) with: a non-volatile memory ( 3 ) comprising a memory area ( 20 ) in which characteristic information relating to the nonvolatile memory ( 3 ) with a private key ( 8th ) of a key pair ( 8th . 9 ) are stored encrypted for asymmetric encryption; and a microcontroller ( 2 ), which is connected via a data line ( 4 ) with the non-volatile memory ( 3 ), and a ROM memory ( 10 ) in which the public key ( 9 ) of the key pair ( 8th . 9 ) for asymmetric encryption, and a program for decrypting data encrypted with asymmetric encryption are stored. Control unit according to Claim 10, characterized in that the characteristic information is a serial number ( 6 ) of the non-volatile memory ( 3 ). Control unit according to Claim 10 or 11, characterized in that the characteristic information also contains a serial number ( 5 ) of the microcontroller ( 2 ). Control unit according to one of Claims 10 to 12, characterized in that the characteristic information has a hash value of in nonvolatile memory ( 3 ). Control device according to one of claims 10 to 13, characterized in that in the ROM memory ( 11 ) of the microcontroller ( 2 Further, a symmetric key is stored for symmetrically encrypting data to be stored in the nonvolatile memory. control unit according to claim 14, characterized in that the symmetrical key contains programmable bits and hardwired bits.