TrustCentral’s technology, built on PKI, offers many benefits for the automotive industry. These become possible through the use of these proprietary tools:
Secure Communications Lines
- Authenticated relationships established between paired endpoints using an Inviter-Invitee Protocol
- A PKI certificate is issued for each authenticated, paired communication line
- Encryption and digital signing are supported between endpoints
- IoT devices only talk to previously authenticated endpoints and no others
- Helps devices maintain their own security in hostile environments
- Supports device collaborate only with authenticated devices
- Supports the coordination amongst devices for the execution of sophisticated use cases
Faster, improved TLS setup with DDoS protection
- A traditional principle of TLS is “Trust on First Use” (TOFU)
- With Secure Communication Lines, a new principle of TLS becomes: “Trusted Before First Use”
- This certificate-based trust provides both faster TLS setup and DDoS protection for vehicles
Vehicle Identities Support Secure and Flexible Remote Access
Each vehicle’s communication lines are characterized with context-specific identities that are governed by end-to-end digital agreements established during Inviter-Invitee processing. Context-specific identities are dynamically customizable, and communication lines can be revoked on demand and/or via automated procedures tied to digital agreement enforcement. Identity profiles may differ for each of a vehicle’s many communication lines, such as:
- Vehicle owner (e.g., via smart phone): “Sam’s car”
- Vehicle’s Passive Keyless Entry and Start (PKES) fob: “Sam’s car fob”
- OTA update for telematics: “Unique vehicle telematics identity”
- OTA update for operating components: “Unique vehicle operating components identity”
- OTA update for regulatory purposes: “Unique vehicle regulatory identity”
- Maintenance access: “Unique vehicle maintenance identity for authorized dealers”
Thus a vehicle may have multiple identity profiles and communication lines. Each communication line is authenticated and then validated with a unique PKI certificate with its unique rules, business logic, etc. Different authenticated external endpoints (e.g., above) may have their own communication line with the same vehicle, each with its own rules.
Sale of a Vehicle
This technology can support the transition of vehicle ownership through the sales process. For example, a digital certificate (with all vehicle information) may be created for each vehicle at sale. The sale transaction itself can be supported for the buyer and dealer including digitally signing capability being provided to each party for sales contract execution. The vehicle’s informational digital certificate ideally will become associated with the vehicle’s digital sale record (plus any financing record), with both being associated with the buyer.
The vehicle’s Passive Keyless Entry and Start (PKES) fobs would be provisioned as an IoT device per the Inviter-Invitee Protocol. The security ecosystem will also support a custom secure app on a buyer’s mobile device. Once the app is provisioned on the buyer’s mobile device, it can then be authenticated with the buyer’s vehicle. The authenticated buyer, vehicle and PKES can be associated together in a distinct secure group. As regards the communication exchanges between the fob and the vehicle, a high level of authenticated security supported by encryption and digital signing will be established in order to eliminate existing (and well documented) hacking vulnerabilities of typical PKES systems.
A dealer and/or manufacturer may optionally establish a secure communication line with the buyer via the mobile app. Thus a dealer or manufacturer may gain a useful direct, secure communication line for priority communications with the buyer.
Vehicle Maintenance and Support
The security ecosystem may continue its support of a vehicle through the maintenance and ownership period. Authentication may be provided for maintenance personnel who need to establish authorized, secure access to vehicles. For example, in the case of automobiles, approved maintenance user groups could include: automobile dealers; manufacturer representatives; or other specified entities. For example, prior to gaining maintenance access to a vehicle, an authorized automobile dealer maintenance worker would be authenticated as a member of the dealer “group” given access to the “IoT Devices Group” of individual automobiles (initial registration of a worker would be a one-time setup occurrence). Such users may be granted controlled access to components within a vehicle. Specific rights may be customizable for each individual maintenance worker.
Through the management capabilities of PKI features, all relationships will be visible and auditable via an API. Membership in groups may be manageable in real-time (e.g., a dismissed employee or terminated dealer will immediately lose the ability to establish access vehicles).