Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Analyzing API Support for SAE J3101 Hardware Protected Security Environments
The automotive industry’s shift towards connected and autonomous vehicles demands robust hardware security. The SAE J3101 standard defines hardware protected security requirements for ground vehicles. To operationalize these requirements, software APIs are needed. The SAE J3101-1:2024 information report provides a thorough analysis of existing API—specifically the AUTOSAR Classic Platform Crypto API—against the J3101 requirements. This article summarizes the key aspects of that analysis, covering methodology, coverage findings, and engineering implications.
Methodology: Categorizing SAE J3101 Requirements
Every SAE J3101 requirement was extracted and classified into one of four categories based on its relationship to APIs. This categorization is fundamental for accurate coverage assessment.
| Category | Description |
|---|---|
| API Required | This requirement demands a dedicated API to support. |
| API Impacted | This requirement influences API design choices but does not itself require an API. |
| Implementation Specific | This requirement could be API-supported but is specific to individual HPSE or API implementations; an implementer may fulfill it without a dedicated API. |
| Internal | This is internal to HPSE firmware/hardware; no external API is needed. |
With this taxonomy, the analysis could clearly differentiate between requirements that must be explicitly exposed via an API versus those that affect its design or are internal.
Coverage Analysis Results: AUTOSAR Crypto API
The team evaluated the AUTOSAR Classic Platform Crypto API version R21-11 against these categories using three coverage labels: Yes (fulfilled), Partial (partially fulfilled), and No (not fulfilled).
| Coverage Result | Description |
|---|---|
| Yes | The requirement is fully met by the API specification. |
| Partial | The requirement is partially met; details are provided in the analysis. |
| No | The requirement is not supported by the API. |
Out of 159 total HPSE requirements, 94 were internal (no API impact). The remaining 65 either required dedicated API support or influenced the API. The AUTOSAR Crypto API covered or partially covered 39 of these 65, yielding approximately 60% coverage. Notably, 2 requirements were flagged as ambiguous and may need revision in future J3101 releases.
🛠️ Coverage Insight: The 60% figure is a starting point. While the AUTOSAR Crypto API handles many core cryptographic functions, certain areas like device lifecycle management are out of scope, requiring additional mechanisms.
Engineering Design Insights
The analysis yields several practical takeaways for engineers building HPSE solutions:
- Requirement categorization is critical. Misclassifying a requirement as API Impacted when it is really API Required can lead to missing essential API functions. Conversely, over-limiting the API to only Required items may overlook design constraints from Impacted categories.
- Partial coverage demands careful interpretation. A ‘Partial’ result does not necessarily mean the requirement is inadequately handled—it may be that some aspects are covered and others require supplementary APIs or custom implementation.
- API versions matter. The analysis used AUTOSAR R21-11; newer versions may alter coverage. Always re-evaluate when adopting a later API release.
- One API is seldom enough. The AUTOSAR Crypto API covers a significant portion, but other AUTOSAR layers or dedicated interfaces may be needed to fulfill all J3101 requirements.
⚠️ Important: This analysis is specific to the assessed API version. As SAE J3101 and automotive APIs evolve, coverage must be reassessed. Relying solely on a single outdated analysis could introduce security gaps.
Frequently Asked Questions
Q: How were SAE J3101 requirements categorized for the API analysis?
A: Each requirement was sorted into one of four groups: API Required (needs a dedicated API), API Impacted (influences API design), Implementation Specific (may be handled without an API depending on implementation), and Internal (no API interaction).
Q: What was the overall coverage of the AUTOSAR Crypto API?
A: The AUTOSAR Classic Platform Crypto API (vR21-11) covered or partially covered 39 out of the 65 requirements that have API impact, equating to about 60% coverage. The remaining 94 requirements were internal to the HPSE and thus not considered.
Q: What should engineers do with partially covered or non-covered requirements?
A: For requirements not covered, the report explains why (e.g., out of scope). Engineers must implement additional logic or use alternative APIs. For partial coverage, the report details which parts are supported; engineers should evaluate whether the partial support is sufficient or if extensions are needed.
Q: Does this analysis apply to all AUTOSAR versions?
A: The analysis was performed on the AUTOSAR R21-11 Crypto API. Coverage may differ with newer versions. It is recommended to conduct a similar analysis for the specific API version planned for development.
— This article is based on SAE J3101-1:2024, Hardware Protected Security Environment – Application Programming Interface Analysis – Information Report.
