Secure Communication for CAN FD

Secure communication

CAN FD for CAN FD

Encrypted data transmission is not yet the norm in vehicle networks. Vector has conceived an implementation for secure communication over CAN. Protection goals were authentication and preventing replay attacks.

Author n today’s vehicle networks, control function influence important data over bus Idata transmission is for the vehicle behavior? And systems. In the vast major- most part performed with- what countermeasures can ity of cases, the informa- out any special security be taken to prevent such tion being transmitted is in measures. Because of this, manipulations? raw data format. A plausi- it is possible to read out the Today’s vehicles are bility check, if such a check data transmitted in raw for- highly complex systems, is even possible, has lim- mat or to even play it into which consist of networked ited effectiveness. The the bus system in modified sensors and actuators receiver is unable to ver- form if you have direct ac- and continually transmit ify whether the data was Armin Happel cess to the vehicle bus. En- crypted data transmission Principal Software Development would not only ensure that Engineer this information could only Vector Informatik GmbH be evaluated by authorized Ingersheimer Str. 24 recipients. At the very least, DE-70499 Stuttgart it would also make it much Tel.: +49-711-80670-0 more difficult to intercept or Fax: +49-711-80670-111 alter the messages. Media reports about Link vehicle manipulation [1], www.vector.com [2] raise the question of whether data in the vehicle network can actually be influenced by manipulation. Can a manipulated device or internally implant- Figure 1: Message transmission and timing of encrypted ed device with a remote communication

CAN Newsletter 4/2014 actually supplied by the desired sender or whether it was fed in by an outside electronic control unit, i.e. whether it is authentic data. The data is freely accessi- ble as well, so an analysis of the bus information can be used to determine signal contents. The transmission is neither confidential nor authenticated. This was the prob- Figure 2: ID keys of multiple receivers in the use of CAN FD lem that engineers at Vec- tor were confronted with. choose them. A higher-lev- losses, the receiver will also ECU and shortens the time Their task was to come up el method such as a (asym- accept a slightly higher val- for resending. It also avoids with an implementation for metrical) key exchange ue. This means that the storage of the ID key in non- secure communication over method might be imple- counter in the transmit mes- volatile memory. a CAN network which can mented, or a static alloca- sage continually alters the be used flexibly and can tion might be made such as encrypted data even if the Data transmission also be integrated with Au- in end-of-line programming. signal contents remain the without segmentation tosar-3.x basic software. Whenever an ECU is re- same (Figure 1). Protection goals were au- placed and a vehicle specif- Depending on the There is a significant dis- thentication and prevent- ic key is used, the new ECU word width of the ID key advantage associated with ing replay attacks. It was must be set up by an au- and the frequency with segmented data transmis- also desirable to implement thorization method, which which the message is sent, sion in CAN over the ISO- communication that cannot keeps the key confidential overruns of the counter val- 15765 transport protocol. be monitored under all circumstances. ue might be expected in the Transmission time is in- For the encryption message, which would lead creased, and this method is method, the specialists Preventing replay to repeated transmission of restricted to a fixed 1:1 rela- chose the AES algorithm attacks the encrypted message. To tionship, because segment- [3]. From today’s perspec- avoid this, the ID key is only ed data transmission over tive, this method is con- In this configuration, an en- valid for a certain time pe- ISO-15765 is very difficult sidered cryptographically crypted transmission of riod. When this period ex- to implement with multiple secure. It involves symmet- messages is now possi- pires, the receiver must nodes. CAN FD on the other rical block encryption with ble, where the information generate a new value and hand enables simultaneous a block length of 128 bits. It is, however, still purely stat- communicate it to the send- transmission of the entire generates 16 bytes or a mul- ic, i.e. a unique key text can er. Immediately after receiv- encrypted message to multiple of 16, which the send- be assigned to the plain text ing a new ID key, the sender tiple receivers [4]. Each re- er transmits to the receiver. signals. This means that re- transmits the encrypted ceiver needs the same sym- An additional advantage is play attacks, i.e. recording message. This means that metrical key to decrypt the that some microcontrollers excerpts of a desired com- the receiver is also able to encrypted message. Two already have very fast hard- munication and replaying initiate repetition of a mes- variants of the ID key for au- ware-based implementa- it into the system at a later sage, such as if the received thentication come into con- tions of this algorithm. time, can still be made. That ID key does not agree with sideration: either all receiv- Since a CAN message is because the receiver the internal key, and this ers agree on a commonly can transmit a maximum of cannot check whether the reduces latency times. Al- agreed value, or all receiv- 8 data bytes per frame, a message actually originates though the sending node ers independently generate decision was made to uti- from the sender at this point receives and considers and send their ID key to the lize the ISO transport pro- in time. To make check- new ID key messages for sender. The sender manag- tocol (TP) that was already ing possible, at the start of a time T(offset), to avoid an es all counters and appends included in the communica- communication the receiver overload of the bus system them to the data message. tion stack for the transfer. generates a random value – such messages do not im- The positions of the counter To simplify the configuration which is referred to as the mediately lead to resending values within the encrypted and reduce protocol over- ID key in the following – and of the encrypted message. message must be uniquely head, a unidirectional com- it communicates this to the To make the protocol more assigned to the receivers. munication with a fixed 1:1 sender. The sender incre- robust, the receiving side Figure 2 shows data relation between sender ments the value with each uses the timer T(Resent) to transmission for multiple and receiver was chosen. transmission and appends monitor the response of the receivers. First, the receiv- Symmetrical encryp- it to the transmit message. sender with the new counter ers transmit their random- tion requires that both the When the message arrives, value. If it does not get an ly generated start values sender and receiver have the receiver checks wheth- acknowledgment message to the sender. The sender the same key. The software er the ID key matches the from the sender, the receiv- then increments all ID keys modules that are used per- expected value. If it does, er generates a new ID key for each send cycle and in- mit dynamic allocation of it processes the message; and resends it. This makes sert them into the encrypted the keys at runtime, so that otherwise it rejects it. To it possible to detect even a message at the predefined the user or OEM can freely tolerate possible message brief failure of the sending positions. The relevant CAN FD

Figure 3: Software components for encrypted transmission

Literature receiver then checks its ID system provided a stable has led to favorable classi- [1] http://www.chip.de/news/CAN- key and accepts the data or transmission. fication of the relevant vehi- Hacking-Tool-Autos-hacken-fuer- rejects it (Figure 2). cle for insurance premiums. 20-Dollar_67066892.html [only However, as the num- Summary and In this case, security not German] ber of receivers increases, Outlook only protects data; it even [2] http://www.can-newsletter. this reduces the message offers a direct cost advan- org/engineering/engineering- space that remains for use- In CAN FD, in particular, it tage to the end user. miscellaneous/140822_list-of- ful data. The number of use- took relatively little effort to In the near future, re- potentially-vulnerable-cars_ ful data bytes is also highly implement robust transmis- mote connections such blackhat/ dependent on the select- sion of encrypted data with as Car2x communication, [3] Advanced Encryption Standard ed word width of the ID multiple nodes, and this WLAN, Bluetooth and Inter- (AES), FIPS PUB 197 key. The communication method can also fit into an net will continue to grow and [4] CAN with Flexible Data Rate – timing illustrated in Figure existing Autosar environ- will necessitate much more Specification Version 1.0, Robert 1 was applied. It only re- ment. One disadvantage is stringent requirements for Bosch, GmbH; April, 2012 http:// quired a modification for the the serialization and deseri- IT security. These access www.bosch-semiconductors.de/ sender in receiving the ID alization of the data on the modes must be made se- en/ubk_semiconductors/safe/ip_ key. Instead of immediate- application level (Figure 3), cure against attacks and modules/can_fd/can.html ly transmitting the encrypt- which means that modeling must not permit any remote ed message, the sender properties of the RTE can- manipulation. This is espe- waits for a configurable not be used any longer for cially true of information to time T(IdKeyReply) to al- individual signals. The clas- driver assistance systems, low time for any other ID sic points of attack on such which rely on reliable mes- key messages from other systems must still be kept in sages from other traffic receivers. The special case mind. They include, for ex- participants and/or the in- T(IdKeyReply)=0 covers the ample, weak random num- frastructure. original method. ber generators for the ID Vector implemented keys (at startup) or spying the protocol for CAN FD in the symmetrical keys. a CANoe environment. The In the security tech- specialists subjected the nology world, the AES-128 protocol to extensive tests algorithm is considered se- using this software tool for cure for the near future, development, simulation, and its implementations and testing of ECUs and are mature or will even be networks. Along with the re- supported by hardware ac- quired robustness against celerators. The method pre- replay attacks, another fo- sented here makes attacks cus was to study message on the CAN (FD) communi- losses, failure, and re-en- cation much more difficult, try of sender and receiv- and manipulation is hard- er as well as timing errors ly possible without “insider and burst attacks. In all of knowledge”. It has already these cases, the encryption been in production use for several years, and it also

CAN Newsletter 4/2014