Specification of Cryptography, AUTOSAR R22-11, AP, No.883
AUTOSARは、ISO、IEC、ITUと情報交換契約を結んでいません。
AUTOSAR文書には、ISO、IEC,ITU記述を全文引用することはできません。
WTO/TBT協定に基づき、国際的な調達は国際規格との差異を記述することにより文化依存しない仕様を目指します。
ISO、IEC、ITU文書を合わせて読むと技術内容は理解できます。
CAN、OSEK/VDX OS、DIAGは、ISO定義を先に確認しましょう。
OSEK COM、OSEK NMなどはISOの規定から基本的な部分で定義を変えています。
変更している部分を仕様等で明記するか、ISOを改定するとよいでしょう。
AUTOSARの参考文献欄の改定が進んでいません。
Glossary用語定義の網羅性が低いです。
本文を読む前に確認するとよいかもしれません。
本文を読んでから確認してもよいかもしれません。
AUTOSARが、2022年の版、R22-11公開しました。公開行事の模様は
AUTOSAR R22-11 Release Event 20221208
下記URL順次確認中です。
間違っていたら、いいね を押していただいて、コメント欄にご報告くださると幸いです。
編集リクエストが、構造的な変更をしている最中に、構造的な編集リクエストをしていただくと、
何をどう直したらいいかわからなくなってしまいます。自動修復ツールがつくれていません。ごめんなさい。
文書は検索してダウンロードすることができます。
クラウドサービスにありがちな、あるのにないかのような検索結果が出ることがあります。
要求/仕様(Requirement and Specification)
一覧
AUTOSAR R22-11 Adaptive Platform 一覧はこちら。
Adaptive Platform Release Overview, No.782, AP, AUTOSAR 22-11 新
Foundation Release Overview, No.781, FO, AUTOSAR 22-11 新
Classic Platform Release Overview, AUTOSAR R22-11, CP, No.0(2)
AUTOSAR R22-11 マラソン
AUTOSAR 文書番号と発行年
AUTOSAR R22-11で リンク切れ、表示しない文書
Qiitaの記事の一覧は作成中です。
AUTOSAR R22-11 Qiita記事一覧 新
Abstract Platformとの関係
RS統合
<この項は書きかけです。順次追記します。>
文書変更(Document Change)
• Added: [SWS_CRYPT_40984] [SWS_CRYPT_40985]
• Updated: [SWS_CRYPT_00502] [SWS_CRYPT_00503] [SWS_CRYPT_40983] [SWS_CRYPT_01820] [SWS_CRYPT_01821] [SWS_CRYPT_00919] [SWS_CRYPT_03303] [SWS_CRYPT_03305] [SWS_CRYPT_04204] [SWS_CRYPT_01821] [SWS_CRYPT_00919]
• Updated API: [SWS_CRYPT_40981] [SWS_CRYPT_20746] [SWS_CRYPT_21115] [SWS_CRYPT_21312] [SWS_CRYPT_22711] [SWS_CRYPT_23012] [SWS_CRYPT_23013] [SWS_CRYPT_23014]
• Editorial changes
用語(terms)
短縮名(short name)
| Abbreviation / Acronym | Description |
|---|---|
| ACL | Access Control List |
| AE | Authenticated Encryption |
| AEAD | Authenticated Encryption with Associated Data - Encryption scheme which simultaneously provides confidentiality and authenticity of data as well as additional authenticated but not encrypted data. |
| AES | Advanced Encryption Standard - A block cipher for the symmetric encryption of electronic data. |
| API | Abstract Programming Interface |
| ARA | Autosar Runtime Environment for Adaptive Applications |
| ASN.1 | Abstract Syntax Notation One, as defined in the ASN.1 standards |
| BER | Basic Encoding Rules |
| BLOB | Binary Large Object - A Binary Large OBject (BLOB) is a collection of binary data stored as a single entity. |
| CA | Certificate Authority or Certification Authority is an entity that issues digital certificates. |
| CBC | Cipher Block Chaining Mode - A mode of operation for symmetric ciphers (e.g. AES) that supports encryption. |
| CBC-MAC | Cipher Block Chaining Message Authentication Mode - A mode of operation for symmetric ciphers (e.g. AES) that supports authentication. |
| CCM | Counter Mode with CBC-MAC - An AEAD operation mode (encryption and authentication) for AES. |
| CMAC | Cipher-based Message Authentication Code - A mode of operation for symmetric ciphers (e.g. AES) that supports authentication and is similar but advanced to CBC-MAC. |
| CMP | X.509 Certificate Management Provider. |
| CO | Cryptographic Object |
| COUID | Cryptographic Object Unique Identifier |
| CRL | Certificate Revocation Lists is a list of digital certificates that have been revoked before their expiration date was reached. This list contains all the serial numbers of the revoked certificates and the revoked data. |
| CSR | Certificate Signing Request |
| CTL | Certificate Trust List is a list of digital certificates that are explicitly trusted in this environment. This list contains all the serial numbers of the explicitly trusted certificates. |
| DER | Distinguished Encoding Rules as defined in [2] |
| DH | Diffie-Hellman (key exchange method) |
| ECC | Elliptic Curve Cryptography - Public-key cryptography based on the structure of elliptic curves. |
| ECDH | Elliptic Curve Diffie-Hellman - An ECC based DH key exchange with perfect forward secrecy. |
| ECDSA | Elliptic Curve Digital Signature Algorithm - An ECC based signature scheme. |
| ECIES | Elliptic Curve Integrated Encryption Scheme - An ECC based encryption scheme. |
| ECU | Electronic Control Unit |
| FC | Crypto Functional cluster Cryptography. This is the AUTOSAR cluster, which provides all important functionality related to cryptograhic, key management, and certificate handling needs. |
| gamma | linear recurrent sequence |
| GCM | Galois Counter Mode - An AEAD operation mode (encryption and authentication) for AES. |
| GMAC | Galois MAC - A mode of operation for symmetric ciphers (e.g. AES) that supports authentication. |
| HSM | Hardware Security Module - Hardware security module, used to store cryptographic credentials and secure run-time environment |
| HMAC | Hashed Message Authentication Code |
| IETF | Internet Engineering Task Force |
| IKE | Internet Key Exchange |
| IPC | Inter-Process Communication |
| IPsec | Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. |
| IV | Initialization Vector |
| KDF | Key Derivation Function - A function to derive one or more keys from a secret value. |
| KEK | Key encryption key - A key that is used to encrypt another key for transportation or storage in an unsecure environment |
| KSP | Key Storage Provider |
| MAC | Message Authentication Code - A cryptographic function similar to a hash function. It takes a message of variable length and a secret key as input to generate a hash value, the MAC value. The MAC value is attached to the message to be sent. The receiver of the message can recalculate the MAC value to check if the message is authentic. |
| MGF | Mask Generation Function - A cryptographic function similar to a hash function. It takes a variable length input and an output length l to generate an output of length l. If the input is unknown, the output appears random. |
| OCSP | Online Certificate Status Protocol - Internet protocol used to obtain revocation status of X.509 certificates. |
| PEM | Privacy-Enhanced Mail |
| PKI | Public Key Infrastructure - A system that issues, distributes, and checks digital certificates. |
| PKCS | Public Key Cryptography Standard. |
| RA | Registration Authority |
| RNG | Random Number Generator |
| RSA | Rivest, Shamir, Adleman - RSA is an algorithm for public-key cryptography; It is named after its inventors Ronald L. Rivest, Adi Shamir and Leonard Adleman. |
| SecOC | Secure Onboard Communication |
| SHA-1 | Secure Hash Algorithm (version 1) - Hash functions family. |
| SHA-2 | Secure Hash Algorithm (version 2) - Hash functions family with different hash value length. |
| SHA-3 | Secure Hash Algorithm (version 3) - New hash function generation, faster and more secure as SHA-2. |
| SHE | Secure Hardware Extension |
| TLS | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. |
| TPM | The Trusted Platform Module is defined in [3] and is a secure cryptoprocessor. |
| UCM | Update and Configuration Management |
| UID | Unique Identifier |
| X.509 | Standard for certificates |
| Terms | Description |
|---|---|
| Adaptive Application | An adaptive application is a part of application SW in the architecture of Adaptive AUTOSAR. An adaptive application runs on top of ARA and accesses AUTOSAR functional clusters through ARA. |
| Adaptive Platform Services | Adaptive Platform Services are located below the ARA. They provide platform standard services of Adaptive AUTOSAR. |
| Asymmetric Key | An asymmetric key describes a pair of two keys (public and private key). A cipher text created by one key cannot be decrypted with this key. Encryption is only possible with the other key of this pair. |
| Block Cipher | A symmetric encryption that encrypts plaintext blocks of fixed length. |
| certificate serial number | An integer value, unique within the issuing authority, which is unambiguously associated with a certificate issued by that authority. |
| certification path | An ordered list of one or more public-key certificates, starting with a public-key certificate signed by the trust anchor, and ending with the public key certificate to be validated. All intermediate public-key certificates, if any, are CA-certificates in which the subject of the preceding certificate is the issuer of the following certificate. |
| Ciphertext | A ciphertext is an encrypted text, which is the result of encryption performed on plaintext. |
| CryptoAPI | The set of all interfaces that are provided by FC Crypto to consumers. |
| Crypto Provider | A structural element that organizes cryptographic primitives. |
| Cryptographic primitives | Well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. |
| Distinguished name | is originally defined in X.501 [4] as a representation of a directory name, defined as a construct that identifies a particular object from among a set of all objects. |
| Functional Cluster | The SW functionality of ARA is divided into functional clusters. Functional clusters provide APIs and can communicate with each other. |
| Instance Specifier | Crypto provider can have more than one instance. To distinguish between instances the spcific instance is addressed with an instance specifier. An instance specifier identifies one instance of a crypto provider. |
| Key Material | public keys, private keys, seeds. |
| Key Slot | Secure storage of key material. Key slots define the access to the stored key material and grant the access only to authorized application or functional cluster. |
| Key Storage Provider | A structural element that organizes and manages cryptographic keys. |
| Nonce | A nonce is a random or semi-random number that is generated for cryptographic topics. A nonce can be used as an input to a hash algorithm so that the hash algorithm computes a hash value out of two inputs |
| Plaintext | A plaintext is ordinary readable text before being encrypted into ciphertext or after being decrypted. |
| Policy Decision Point | A PDP defines which item (process, application, function) can decide if a requested access to resources may be granted or not. |
| Random Number Generator | A program that generates random numbers or pseudo random numbers in a given range. |
| Salt | A salt is a random or semi-random number which is created for passwords. When a password is edited for a user/account also a salt is created for this user/account. A hash algorithm creates a hash value of password and salt. Salts increase the security against brute force password guessing attacks. |
| SecretSeed | A secret value that is used as an initial value to start encryption/decryption. |
| Stream Ciphe | r A symmetric encryption that calculates cipher text out of streaming plaintext and the status result of the encryption of previous streamed plaintext. For the first part of encryption a start value is needed as status result. |
| Symmetric Key | In a symmetric encryption the same key (symmetric key) is used to encrypt plaintext into cipher text and to decode cipher text into plain text. A symmetric key is also called secret key because it must be kept secret. |
| X.509 Provider | Domain SW for X.509 certificates parsing, verification, storage and search. |
英日
日本語は仮訳
| no. | count | word | 日本語 |
|---|---|---|---|
| 1 | 4261 | the | その |
| 2 | 3146 | crypto | 暗号 |
| 3 | 2479 | ara | AUTOSAR Runtime for Adaptive Applications(短縮名) |
| 4 | 2415 | of | の |
| 5 | 1890 | sws_crypt_ | sws_crypt_ |
| 6 | 1152 | a | 一つの |
| 7 | 1042 | rs_crypto_ | rs_crypto_ |
| 8 | 1027 | cryp | 暗号 |
| 9 | 1025 | to | に |
| 10 | 1018 | key | 鍵 |
| 11 | 980 | if | もしも |
| 12 | 920 | id | identifier, 識別子(短縮名) |
| 13 | 914 | draft | 下書き |
| 14 | 908 | is | は |
| 15 | 869 | c | c |
| 16 | 825 | no | いいえ |
| 17 | 818 | d | d |
| 18 | 814 | in | の |
| 19 | 783 | except | それ外 |
| 20 | 777 | x | x |
| 21 | 721 | safety | 安全性 |
| 22 | 716 | value | 価値 |
| 23 | 688 | class | 級 |
| 24 | 674 | and | と |
| 25 | 668 | core | 芯 |
| 26 | 666 | description | 説明 |
| 27 | 657 | thread | より糸 |
| 28 | 655 | kind | 親切 |
| 29 | 652 | scope | 範囲 |
| 30 | 648 | syntax | 構文 |
| 31 | 648 | this | これ |
| 32 | 642 | include | 含む |
| 33 | 638 | file | 紙ばさみ |
| 34 | 636 | h | h |
| 35 | 636 | header | 見出し |
| 36 | 635 | symbol | 像 |
| 37 | 630 | return | 戻る |
| 38 | 620 | error | 誤り |
| 39 | 584 | const | constant(短縮名) |
| 40 | 576 | be | なれ |
| 41 | 550 | for | にとって |
| 42 | 536 | function | 働き |
| 43 | 512 | interface | 界面 |
| 44 | 510 | by | に |
| 45 | 491 | provider | 提供者 |
| 46 | 479 | or | また |
| 47 | 466 | context | 文脈 |
| 48 | 462 | domain | 領域 |
| 49 | 461 | result | 結果 |
| 50 | 454 | shall | しなければならない |
| 51 | 451 | provided | 提供した |
| 52 | 436 | not | ない |
| 53 | 413 | an | と |
| 54 | 408 | autosar | AUTomotive Open System Architecture(短縮名) |
| 55 | 407 | object | 物体 |
| 56 | 402 | specification | 仕様 |
| 57 | 400 | exception | 例外 |
| 58 | 398 | alg | algorithm(短縮名) |
| 59 | 397 | cryptography | 暗号化 |
| 60 | 389 | certificate | 証明書 |
| 61 | 366 | document | 資料 |
| 62 | 365 | r | r |
| 63 | 357 | size | 大きさ |
| 64 | 355 | ap | adaptive platform(短縮名) |
| 65 | 354 | autosar_sws_cryptography | autosar_sws_cryptography |
| 66 | 344 | virtual | 仮想 |
| 67 | 334 | type | 型 |
| 68 | 331 | only | それだけ |
| 69 | 325 | safe | 安全な |
| 70 | 311 | algorithm | 算法 |
| 71 | 307 | std | standard(短縮名) |
| 72 | 280 | parameters | 引数 |
| 73 | 277 | from | から |
| 74 | 276 | data | 与件 |
| 75 | 256 | that | それ |
| 76 | 254 | with | と |
| 77 | 236 | signature | 署名 |
| 78 | 232 | used | 使った |
| 79 | 219 | usage | 利用方法 |
| 80 | 218 | can | できる |
| 81 | 210 | name | 名前 |
| 82 | 209 | has | 持つ |
| 83 | 206 | uptr | unique pointer(短縮名) |
| 84 | 204 | region | 領域 |
| 85 | 203 | errors | 誤り |
| 86 | 197 | method | 方法 |
| 87 | 197 | read | 読む |
| 88 | 196 | bool | 論理値 |
| 89 | 190 | instance | 実例 |
| 90 | 189 | allowed | 許可された |
| 91 | 187 | TRUE | 真 |
| 92 | 186 | seed | 種 |
| 93 | 185 | void | 空所 |
| 94 | 184 | io | input output(短縮名) |
| 95 | 178 | keys | 鍵 |
| 96 | 178 | mem | memory(短縮名) |
| 97 | 168 | container | 容器 |
| 98 | 167 | as | なので |
| 99 | 165 | are | です |
| 100 | 161 | other | 他の |
参照(reference)
3.1 Input documents & related standards and norms
[1] Glossary, AUTOSAR_TR_Glossary
https://www.autosar.org/fileadmin/standards/R22-11/FO/AUTOSAR_TR_Glossary.pdf
[2] X.690 : Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) https://www.itu.int/rec/T-REC-X.690
[3] ISO/IEC 11889-1:2015 Information technology - Trusted platform module library - Part 1: Architecture http://www.iso.org
[4] X.501 : Information technology - Open Systems Interconnection - The Directory: Models https://www.itu.int/rec/T-REC-X.501
[5] Specification of Adaptive Platform Core, AUTOSAR_SWS_AdaptivePlatformCore
[6] Requirements on Security Management for Adaptive Platform, AUTOSAR_RS_SecurityManagement
[7] BSI: Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators (AIS), https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_20_Functionality_Classes_Evaluation_Methodology_DRNG_e.pdf?__blob=publicationFile[5]
[8] Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
[9] Public Key Cryptography for the Financial Services Industry Key Agreement and Key Stransport Using Elliptic Curve Cryptography https://webstore.ansi.org/preview-pages/ASCX9/preview_ANSI+X9.63-2011+(R2017).pdf
[10] Recommendation for Key Derivation Using Pseudorandom Functions (Revised) https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf
[11] Elliptic Curve Cryptography, https://www.secg.org/sec1-v2.pdf
[12] ISO IEC 9797-3:2011 Amd 1:2020(en) Information technology - Security techniques - Message Authentication Codes (MAC), http://www.iso.org
[13] HMAC: Keyed-Hashing for Message Authentication https://tools.ietf.org/html/rfc2104
[14] Updated Security Considerations the MD5 Message-Digest and the HMAC-MD5 Algorithms, https://tools.ietf.org/html/rfc6151
[15] Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet, Key Exchange version 02 (IKEv2) Protocol https://rfc-editor.org/rfc/rfc5930.txt
[16] ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) https://rfc-editor.org/rfc/rfc7905.txt
[17] TRIVIUM Specifications http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.59.9030
[18] PKCS #5: Password-Based Cryptography Specification Version 2.0 https://rfc-editor.org/rfc/rfc2898.txt
[19] PKCS #5: Password-Based Cryptography Specification Version 2.1 https://rfc-editor.org/rfc/rfc8018.txt
[20] PKCS #7: Cryptographic Message Syntax Version 1.5 https://rfc-editor.org/rfc/rfc2315.txt
[21] Financial institution encryption of wholesale financial messages: X9.23
[22] Advanced Encryption Standard (AES) Key Wrap Algorithm https://tools.ietf.org/html/rfc3394
[23] Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm https://tools.ietf.org/html/rfc5649
[24] ISO/IEC 9796-2:2010 Information technology - Security techniques - Digital signature schemes giving message recovery - Part 2: Integer factorization based mechanisms, http://www.iso.org
[25] Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS), https://rfc-editor.org/rfc/rfc3278.txt
[26] Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS) https://rfc-editor.org/rfc/rfc5753.txt
[27] IEEE P1363: A Standard for RSA, Diffie-Hellman, and Elliptic-Curve Cryptography (Abstract)
[28] New directions in cryptography https://ieeexplore.ieee.org/document/1055638
[29] Guide for Internet Standards Writers https://tools.ietf.org/html/rfc2360
[30] X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP https://rfc-editor.org/rfc/rfc6960.txt
[31] X.509 https://www.itu.int/rec/T-REC-X.509/en
[32] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List
(CRL) Profile https://rfc-editor.org/rfc/rfc5280.txt
[33] PKCS #10: Certification Request Syntax Specification Version 1.7 https://tools.ietf.org/html/rfc2986
[34] The application/pkcs10 Media Type https://tools.ietf.org/html/rfc5967
[35] Internet X.509 Certificate Request Message Format https://tools.ietf.org/html/rfc2511
[36] Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) https://tools.ietf.org/html/rfc4211
[37] S/MIME Version 2 Message Specification https://tools.ietf.org/html/rfc2311
[38] Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2 https://rfc-editor.org/rfc/rfc5208.txt
[39] PKCS #12: Personal Information Exchange Syntax v1.1 https://tools.ietf.org/html/rfc7292
[40] X.680 : Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation https://www.itu.int/rec/T-REC-X.680
[41] X.682 : Information technology - Abstract Syntax Notation One (ASN.1): Constraint specification https://www.itu.int/rec/T-REC-X.682
[42] X.683 : Information technology - Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications https://www.itu.int/rec/T-REC-X.683
[43] Keying and Authentication for Routing Protocols (KARP) Design Guidelines https://tools.ietf.org/html/rfc6518
[44] Internationalized Email Addresses in X.509 Certificates https://tools.ietf.org/html/rfc8398
[45] Internationalization Updates to RFC 5280 https://tools.ietf.org/html/rfc8399
[46] Transport Layer Security (TLS) Extensions: Extension Definitions https://tools.ietf.org/html/rfc6066
[47] The Transport Layer Security (TLS) Multiple Certificate Status Request Extension https://tools.ietf.org/html/rfc6961
[48] The Transport Layer Security (TLS) Protocol Version 1.3 https://tools.ietf.org/html/rfc8446
関連文書(Related document)
AUTOSAR Abstract Platformへの道(詳細編)
2023年1月 記事数一覧
年末100記事を30点に仕上げる。
2023 書き初め
「はじめてのCAN/CANFD 」 ベクタージャパン <エンジニア夏休み企画>【読書感想文】
三方良し Udemy 車載LAN入門講座 CAN通信編
詳解 車載ネットワーク CAN, CAN FD, LIN, CXPI, Ethernetの仕組みと設計のために(1) 著者 <エンジニア夏休み企画 読書感想文>
詳解 車載ネットワーク CAN, CAN FD, LIN, CXPI, Ethernetの仕組みと設計のために(2)参考文献 <エンジニア夏休み企画>【読書感想文】
詳解 車載ネットワーク CAN、CAN FD、LIN、CXPI、Ethernetの仕組みと設計のために
AUTOSAR Abstract Platform User Group Weekly Report(1) 2022.1.8
AUTOSAR Abstract Platform User Group Weekly Report(2) 2022.1.15
202304 URL更新
Specification of Cryptography, AUTOSAR 883, R22-11, AP, 20230421
<この記事は個人の過去の経験に基づく個人の感想です。現在所属する組織、業務とは関係がありません。>
文書履歴(document history)
ver. 0.01 初稿 20230205
ver. 0.02 ありがとう追記 20230730
最後までおよみいただきありがとうございました。
いいね 💚、フォローをお願いします。
Thank you very much for reading to the last sentence.
Please press the like icon 💚 and follow me for your happy life.