Global Sources
EE Times-India
Stay in touch with EE Times India
EE Times-India > Networks

Encrypted signal transmission in a CAN-FD network

Posted: 05 Aug 2015     Print Version  Bookmark and Share

Keywords:data transmission  ID key  CAN network  transport protocol  ECU 

In today's vehicle networks, data transmission is for the most part performed without any special security measures. That is, in accessing a vehicle's bus system, it is possible to read the data transmitted in raw format or to even play it into the bus system in modified form. Encrypted data transmission would not only ensure that this information can only be evaluated by authorised recipients, it would also make it much more difficult to intercept or alter the messages.

Media reporting about vehicle manipulation [1, 2] raises the question of whether data in the vehicle network can actually be influenced by manipulation. Can a manipulated device or internally implanted device with a remote control function influence vehicle behaviour? And what countermeasures can be taken to prevent such manipulation?

Today's vehicles are highly complex systems, which consist of networked sensors and actuators and continually transmit important data over bus systems. In the vast majority of cases, the information being transmitted is in raw data format. A plausibility check, if such a check is even possible, has limited effectiveness. The receiver is unable to verify whether the data was actually supplied by the desired sender or whether it was fed in by an outside electronic control unit, i.e. whether it is authentic data. The data is freely accessible as well, so an analysis of the bus information can be used to determine signal contents. The transmission is neither confidential nor authenticated.

This was the problem that engineers at Vector were confronted with. Their task was to come up with an implementation for secure communication over a CAN network which could be used flexibly and could also be integrated with AUTOSAR-3.x basic software. Key protection goals, along with authentication, included preventing replay attacks. It would be desirable to implement communication that could not be accessed externally.

For the encryption method, the specialists chose the AES algorithm [3]. From today's perspective this method is considered cryptographically secure. It involves symmetrical block encryption with a block length of 128 bits. It generates 16B or a multiple of 16, which the sender transmits to the receiver. It is advantageous that some microcontrollers already have very fast hardware implementations of this algorithm.

Since a CAN message can transmit a maximum of 8 data bytes per frame, a decision was made to utilise the ISO transport protocol (TP) that was already included in the communication stack for the transfer. This required simplifying the CAN configuration and protocol for unidirectional communication with a fixed 1:1 relationship between sender and receiver.

Symmetrical encryption requires that both the sender and receiver have the same key. The software modules that are used permit dynamic allocation of the keys at runtime, so that the user or OEM can freely choose them.

A higher-level method such as an (asymmetrical) key exchange method might be implemented, or a static allocation might be made, such as in end-of-line programming. When a vehicle-specific key is used, whenever an ECU is replaced, the automotive service shop must train the new ECU by an authorisation method, because the key must be kept confidential under all circumstances.

Preventing replay attacks
In this configuration, encrypted transmission of messages is now possible, where the information is, however, still purely static, i.e. a unique key text can be assigned to the plain text signals. This means that replay attacks, i.e. recording excerpts of a desired communication and replaying it into the system at a later time, can still be made. That is because the receiver cannot check whether the message actually originates from the sender at this time point. To make checking possible, at the start of communication the receiver generates a random value it selects – which is referred to as the ID key in the following – and it communicates this to the sender. The sender increments the value with each Tx operation and appends it to the Tx message. When the message arrives, the receiver checks whether the ID key matches the expected value. If it does, it processes the message; otherwise it rejects it. To tolerate possible message losses, the receiver will also accept a slightly higher value. This means that the counter in the Tx message continually alters the encrypted data even if the signal contents remain the same (figure 1).

Figure 1: Message transmission and timing of encrypted communication.

Depending on the word width of the ID key and the frequency with which the message is sent, overruns of the counter value might be expected in the message, which would lead to repeated transmission of the encrypted message. To avoid this, the ID key also gets a validity time period. When this period expires, the receiver must generate a new value and communicate it to the sender. Immediately after receiving a new ID key, the sender transmits the encrypted message. This means that the receiver is also able to initiate the repetition of a message, such as if the received ID key does not agree with the internal key, and this reduces latency times. The sending node receives and considers new ID key messages for a time T(offset), but to avoid an overload of the bus system such messages do not immediately lead to resending of the encrypted message. To stabilise the protocol, the receiving side uses the timer T(Resent) to monitor the response of the sender with the new counter value. If it does not get an acknowledgment message from the sender, the receiver generates a new ID key and resends it. This makes it possible to detect even a brief failure of the sending ECU and to shorten the time for resending. It also avoids storage of the ID key in nonvolatile memory.

Data transmission with CAN FD without segmentation
There is a significant disadvantage associated with segmented data transmission in CAN over the ISO-15765 transport protocol. Transmission time is increased, and this method is restricted to a fixed 1:1 relationship, because segmented data transmission over ISO-15765 is very difficult to implement with multiple nodes. CAN FD, on the other hand, enables simultaneous transmission of the entire encrypted message to multiple receivers [4]. Each receiver needs the same symmetrical key to decrypt the encrypted message. Two variants of the ID key for authentication come into consideration: either all receivers will use a commonly agreed value, or all receivers independently generate and send their ID key to the sender. The sender manages all counters and appends them to the data message. The positions of the counter values within the encrypted message must be uniquely assigned to the receivers. Figure 2 shows data transmission for multiple receivers. First, the receivers transmit their randomly generated start values to the sender. The sender then increments all ID keys for each send cycle and insert them into the encrypted message at the predefined positions. The relevant receiver then checks its ID key and accepts the data or rejects it (figure 2).

Figure 2: ID keys of multiple receivers in the use of CAN-FD.

1 • 2 Next Page Last Page

Comment on "Encrypted signal transmission in a C..."
*  You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.


Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

Back to Top