Authenticating remote automotive peripherals using GMSL tunneling

As cars become more complex, the ways in which electronic control units (ECUs) communicate with remote peripherals within the vehicle are constantly being developed. In situations where these remote peripherals are responsible for mission-critical decisions, such as sensors or cameras that make up advanced driver assistance systems (ADAS), it is important to ensure that these peripherals are authorized, high-quality components. The combination of a Gigabit Multimedia Serial Link (GMSL) serializer-deserializer (SerDes) pair with the DS28C40 is a solution for bridging the communication between a secure authenticator embedded in a peripheral device, such as an ADAS camera or sensor, and the ECU that needs to verify the authenticity of the peripheral device.

GMSL Design and Technology

GMSL is a unique automotive service implementation entering the automotive communications market. GMSL technology is a low-power, high-bandwidth serializer and deserializer pair with high data integrity and reliability.

GMSL uses Power over Coax (PoC) to send power and data over a single coaxial cable. This means that power on the ECU side can be transmitted over the coaxial cable to power remote cameras or sensors, and in addition, to power the authenticator. Figure 1 illustrates how PoC fits into the GMSL design.

Figure 1 shows a standard I2C bus using a GMSL channel to communicate with a safety authenticator.

The DS28C40 is a smart and straightforward solution for adding security and authentication features to any application that uses GMSL communication between an ECU and a remote device such as a camera or sensor. In these applications, authentication may be required because low-level counterfeits could be added to a vehicle without the driver knowing, even during a routine repair shop visit. For example, a counterfeit ADAS camera may not have the correct field of view, resolution, or calibration information to provide accurate data to the ECU, and therefore could pose a significant safety risk or even cause an accident. After power-up, the ECU can verify multiple cameras and/or sensors in parallel to ensure that all mission-critical peripherals are authorized components. The DS28C40 can be easily added without much effort, as the GMSL device, once properly connected and configured, automatically searches for any actively listening devices on the I2C bus. When using the evaluation kit, these I2C devices automatically appear in the GMSL GUI.

GMSL devices have one master control channel and two pass-through channels that transmit I2C or Universal Asynchronous Receiver Transmitter (UART) signals over the GMSL link. The master control channel can access the registers of the serializer or deserializer, but the pass-through channels are pure tunnels and cannot control the serdes I2C registers. In this case, the DS28C40 does not use the UART, but can use the master control channel or the pass-through channel. To configure the pass-through channel and make the I2C signal use the tunneling feature, the serializer and deserializer must set the IIC_1_EN or IIC_2_EN bit to 1 depending on which of the two channels is being used. Even for pass-through mode, pull-up resistors are required to achieve I2C communication. The pins used for tunneling are SDA1_RX1 and SCL1_TX1 for channel 1, and SDA2_RX2 and SCL2_TX2 for channel 2. If multiple sensors are used with one deserializer, the GMSL SerDes chipset provides I2C address reassignment and translation functions to avoid I2C address conflicts.

The simplest way to add authentication to a peripheral, such as an ADAS camera or sensor, is to embed the DS28C40 in the peripheral and communicate with the ECU over a GMSL channel using an I2C tunnel. This reduces complexity because no registers need to be programmed, but instead enables the user to easily leverage the hardware of the GMSL system to quickly get communications up and running over I2C. Figure 2 illustrates this implementation, showing the authentication of the camera module by the ECU. Note that the DS28C40 authenticator is only necessary on the peripheral side because it is a public key device using an asymmetric algorithm, which is explained in more depth in this document. Therefore, security can be added with only one device because the host ECU can authenticate the camera using only a public key. At the same time, data communication over the GMSL pass-through channel is completely transparent to the I2C host and the DS28C40.

Figure 2 Communication between the ECU and the camera uses the GMSL I2C tunneling capability.

The DS28C40 uses an asymmetric algorithm, the Elliptic Curve Digital Signature Algorithm (ECDSA), to cryptographically authenticate each peripheral component. ECDSA is a public key algorithm, which means that each authenticator has a unique public-private key pair. The private key is embedded in the authenticator and never leaves the device. Its corresponding public key is stored in the device's one-time programmable (OTP) memory and can be freely read by the ECU. This public key is used to complete the ECDSA calculation to ensure that the authenticator provides the correct data to prove that it and the device in which it is embedded are valid parts of the system. An additional check on the validity of the device is performed because each authenticator contains a unique certificate, which ensures that it is a recognizable part of the system and has been programmed by the correct certificate authority. In addition, each time the DS28C40 generates a signature, it includes a unique challenge sent by the ECU to combat replay attacks, which could otherwise allow static values ​​to be discovered and reused.

As mentioned earlier, there are two main steps in authentication. First, the host verifies that the DS28C40 certificate is a valid part of the system. Second, the DS28C40 is asked to sign a random challenge. The certificate authority creates and installs a unique certificate in each device by signing the DS28C40's unique public key with a system-wide private key that does not exist on the DS28C40. Therefore, a counterfeiter can directly copy the certificate, but cannot use the correct private key to sign the random challenge from the host. On the other hand, a counterfeiter can implement the ECDSA algorithm with a unique key pair and respond to a random challenge from the host. But this type of forgery cannot produce a valid certificate signed by the system-wide private key. This results in a very robust authentication process where the ECU uses the system-wide public key and the DS28C40's unique public key without the need for a secure host.

In addition to adding security to automotive peripherals using only one IC, the ECU host command sequence is relatively simple to implement the two authentication steps. The DS28C40 EV kit and free software allow customers to quickly become familiar with device operation. Since the GMSL pass-through mode is transparent to the I2C host and DS28C40, the corresponding GMSL EV kit is not required to develop authentication command sequences.

As more and more original equipment manufacturers (OEMs) choose to embed communication and safety methods into their ADAS peripherals, it is important to know that the various devices are compatible with each other. Fortunately, the DS28C40 safety authenticator and GMSL SerDes pair are a reliable combination of strong security and reliable data communication.

Summarize

This application note provides information on adding authentication in automotive settings using GMSL. It explains the importance of protecting peripheral devices from counterfeiting and the details of how to implement this security.