Patent Grant
12021999
The invention relates to apparatuses and methods for generating (at the transmitter) and authentication checking (at the receiver) at least one data packet to be transmitted in a bus system (BU), in particular of a motor vehicle.
The following publications relate to the secure transmission of messages:
Message authentication codes “MAC” can be used to ensure the integrity of a transmitted message, similarly to a checksum. In the case of an encrypted MAC (that is to say CMAC), this can be calculated, even at the receiver, only if a cryptographic key is known. A receiving bus subscriber that is likewise in possession of this key can thus check the content of a message for authenticity. The message itself is transmitted in unencrypted form together with a MAC or CMAC.
It is an object of the invention to efficiently implement secure communication in a bus system of a vehicle.
The object is achieved by the subject matter of each of the independent patent claims, specifically in particular at the transmitter and at the receiver, in each case as a method and an apparatus. Embodiments of the invention can efficiently allow secure communication in a network in a vehicle. The method can e.g. efficiently allow authentication of a replay-resistant transmitted message authentication code CMAC in the receiver of a data packet.
Some particularly advantageous embodiments of the invention are specified in the subclaims and the description.
According to embodiments of the invention, the count can be e.g. a value, generated using a counter, that e.g. represents the number of messages transmitted and/or received via the bus system hitherto, in particular since the last restart of the bus system, (which may be particularly easy to implement e.g. in software) or a timer value, of at least one timer, that is available in particular on multiple or all bus subscribers (which can increase security in particular when the same time/timer values are available on multiple bus subscribers).
According to embodiments according to the invention, an authentication check at the receiver can in particular use a threshold value when comparing a current received message count and a preceding received message count, said threshold value preferably being set to a higher value after a restart of the bus system than in other normal operation, which can optimize security depending on the situation.
The bus system, in particular a CAN bus or a CAN FD bus or a LIN bus or an SPI bus or an Ethernet bus, or an I2C bus, can be provided for communication between ECUs.
Further features and advantages of some advantageous embodiments of the invention will emerge from the description below of exemplary embodiments of the invention with reference to the drawing, in which, by way of example, to illustrate some possible embodiments of the invention, and in a simplified and schematic manner:
The structure of data packets DP1, DP2, DP3, DP4 is described by way of illustration for an example of a network in the form of a CAN bus in de.wikipedia.org/wiki/Controller Area Network.
A message authentication code (MAC, known e.g. from de.wikipedia.org/wiki/Message Authentication Code) is generated from the message MSG (that is to say e.g. the user data to be transmitted and/or the DATA field in a data packet) having the length M bytes (byte e.g. comprising 8 bits each; M e.g. =8), namely
A transmitting bus subscriber SG7 transmits the following to a receiving bus subscriber SG6, e.g. in a data packet DP1 (or DP2 or DP3 or DP4 or DP0):
M, F, N are natural numbers, e.g. in each case fixed values for all data packets.
A truncated (to the length N) transmitted message authentication code CMAC cannot be calculated without knowledge of the cryptographic key Key.
A receiving bus subscriber that is likewise in possession of this key Key can use the received truncated message authentication code CMAC to check the content of a message MSG for authenticity.
If data packets DG1, DG2, DG3 having the same message content MSG were to be repeatedly transmitted, the result would likewise always be the same message authentication code MAC and thus also the same shortened transmitted message authentication code CMAC.
In order to avoid such repetitions (replay attack), the message can contain a constantly changing value (truncated freshness value TFV), for example a sufficiently long counter (counter for the data packets DP1, DP2, DP3), time stamp (for the sending of a message) or random value FV, or truncated TFV.
A popular method of authentication is secure onboard communication (SecOC), which is described in the source mentioned at the outset [2] [Autosar] and is used e.g. for secure realtime communication in the vehicle via CAN.
The standard SecOC method according to [2] provides for the resource-efficient authentication of messages (PDUs) for critical data, and also for ensuring the freshness thereof in order to protect against replay attacks. Essentially symmetrical encryption is used for both the transmitting (TX-ECU, SG7 in
The classic CAN bus with a maximum of 8 bytes per message is often used as shown in
The truncation itself then requires the unshortened freshness values FV, that is to say longer monotonous counters or time stamps, in the receiving bus subscriber to be kept up to date or in sync with the transmitting bus subscriber, which can be quite problematic, for example during a start process (for the bus system). If the CMAC in the receiving bus subscriber is not equal to the transmitted value, the entire message is rejected as unauthentic.
Although the alternative option of doing without truncation altogether avoids problems with synchronism, this requires a higher bandwidth or transmission time on the bus.
and with an encryption method f (=“Authenticator”) in the form of AES-128,
and also with a cryptographic key Key=0x2b7e151628aed2a6abf7158809cf4f3c.
The transmitted message MSG is “0x00000000” in each case; the freshness values (e.g. counter of the number of the sent data packet DP1, DP2, DP3, DP4) FV and the message authentication codes (MAC)
and the shortened message authentication codes CMAC are as shown.
The example in
This effectively prevents replay attacks, and authenticity is ensured by the knowledge of the secret key in the transmitting bus subscriber and in the receiving bus subscriber. As a result of the truncation, only the lower byte TFV is now transmitted (because F=1), which means that the information about the higher bytes of FV is ensured by additional synchronization.
In addition to a monotonous counter, a time stamp that e.g. encodes the global time, e.g. the number of seconds since Jan. 1, 2019, is also suitable as a freshness value. This resolution would be suitable for messages that are intended to be authenticated every second; the time stamp would overflow only after around 136 years.
Due to the frequency tolerances of popular oscillators, sufficient synchronism of the global time in the network must be ensured sufficiently often, even when time stamps are used, through additional communication.
Methods and apparatuses according to the invention show alternative approaches in this regard.
Exemplary embodiments of the invention are described below.
In step S1, a transmitting bus subscriber SG6 (transmitting a data packet such as DP1) generates, before transmitting, from the (user data) message MSG to be included in the data packet DP1 a message authentication code CMAC that is likewise to be included in the data packet DP1 by
Formulae for the transmitting bus subscriber SG7 to clarify the encryption (before transmitting a data packet) can be e.g. the following:
CMAC1=BC1(MSG,K1)
CYPH=BC2(Count,K2)
CMAC=CMAC1⊕CYPH
One embodiment of the invention can be implemented at the transmitter as a method or apparatus according to S1.
One embodiment of the invention can be implemented at the receiver as a method or apparatus according to S3.
One embodiment of the invention can also be implemented as a method or apparatus according to S1+S2+S3 in combination.
In step S1, generation of a replay-resistant CMAC in the transmitter is thus proposed. BC1 is e.g. a block cipher algorithm for generating a CMAC1 from a message MSG of length M bytes using a key K1. BC2 is e.g. a block cipher algorithm having a key K2 and a counter that increments with each transmission, having a block length N that is e.g. equal to the length of the CMAC1, that is to say e.g. N=4, BC1=AES, BC2=SIMECK.
In step S2, a network, in particular a (CAN etc.) bus system BU, is used to transmit the (one or else multiple) data packet DP1 thus generated (containing in particular or only the message MSG and the message authentication code CMAC) from a (DP1, DP2, DP3, DP4 etc.) transmitting bus subscriber SG6 to a (DP1, DP2, DP3, DP4 etc.) receiving bus subscriber SG6.
In step S3, a receiving bus subscriber SG6 (receiving a data packet such as DP1) can use the message MSG contained in the received data packet DP1 and the message authentication code CMAC (also contained in DP1) to perform the authentication check on the data packet DP1 using
Within step 3, the message MSG contained in the data packet DP1 received (by the receiving bus subscriber SG6) is used by the (further, e.g. working in the same way as BC1 for the transmitter) first encryption apparatus BC1 to generate an encrypted message code CMAC1 using the (secret, e.g. asymmetrical or symmetrical and/or same as that known for the transmitter SG7) key K1.
The message authentication code CMAC contained in the received data packet DP1 and the encrypted message code CMAC1 are used to generate the intermediate value CIPH using an (XOR) logic device X.
A decryption device BC2−1 (BC2 superscript minus one is e.g. working inversely to the encryption device BC2) is used to generate from the intermediate value CIPH a current received message count RX-Count [n] (n=number of the currently received message DP1, that is to say n=1 here), from which a preceding received message count RX-Count [n−1] (n=number of the currently received message DP1, that is to say currently n=1) (accordingly determined for the data packet DP0 received before the data packet DP1) is subtracted using a subtraction device Sub.
The difference between the current received message count RX-Count [n] and the preceding received message count RX-Count [n−1] is compared with one or with a threshold value S by a comparison device VG, and if the difference is one or less than the threshold value S then the received data packet DP1 is defined as authenticated, but if the difference is greater than one or greater than the threshold value S then the received data packet DP1 is defined as unauthenticated.
Step S3 or the apparatuses in
The threshold value S can e.g. be set to a higher value (e.g. S=2 . . . 5) during or after the restart, in particular reboot (e.g. of the network/bus system BU), than in other normal operation (e.g. S=1).
The encryption device BC1 and the encryption device BC2 can in particular be different from one another or can also be the same. The encryption methods BC1, BC2 can in particular be different from one another or can also be the same. The keys K1, K2 can in particular be different from one another or can also be the same.
Expediently, on multiple or all bus subscribers (e.g. SG6, SG7) the encryption device BC1 is the same and the encryption device BC2 is the same and the encryption methods BC1, BC1 are the same and the keys k1 are the same and the keys k2 are the same, in particular if symmetrical encryption is used; if asymmetrical encryption is used, on the other hand, then the encryption and decryption by all subscribers are expediently matched to one another.
Formulae for the receiving bus subscriber SG6 to clarify the encryption, decryption and authentication check can be e.g. the following:
CMAC1=BC1(MSG,K1)
CYPH=CMAC⊕CMAC1
RX-Count=BC2−1(CYPH,K2)
Instead of the reference sign used for the freshness value “FV” when discussing more conventional methods according to
E.g. a counter that increments with each transmission can be used to generate the count Count++, with e.g. a block length N that is equal to the length of the transmitted message authentication code CMAC1, e.g. N=4, BC1=AES, BC2=SIMECK an encrypted count CYPH.
M=4, N=4, BC1: AES-128, BC2 SIMECK32 [3]
K1=0x2b7e151628aed2a6abf7158809cf4f3c,
K2=0x1918111009080100,
The example in
The CMAC values are transmitted; this effectively prevents replay attacks, and authenticity is ensured by the knowledge of the secret key in the sender and in the receiver. In contrast to the example in
Due to the longer counter and CMAC values with the method according to the invention compared to the standard SecOC method, security against brute force attacks can be higher. Furthermore, a freely selectable tolerance S can be set in the receiver, which permits a tolerance to counter deviations on startup, for example so that a counter deviation of greater than 1 is permissible immediately after startup.
Another possible advantage is the possible saving of computing time with constant messages, which is often the case for automotive or IoT applications. The message-dependent CMAC1 can e.g. then be calculated in advance; the counter-dependent value CIPH is e.g. used with a lightweight block cipher method having lower runtime and resource requirements.
A customary standard CMAC algorithm BC1 is currently AES-128, which is supported in hardware in the case of larger controllers. Depending on the networks or on-ECU communication (LIN, CAN, CAN-FD, SPI, I2C) [1] used, various LW block cipher algorithms can be considered for the various PC; by way of illustration, algorithms from the SIMECK family [3] can be used here:
Abbreviations used can e.g. have the following meanings:
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2019 204 608.8 | Apr 2019 | DE | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2020/058542 | 3/26/2020 | WO |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2020/201010 | 10/8/2020 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 10243732 | Herzerg | Mar 2019 | B1 |
| 20170104581 | Hars | Apr 2017 | A1 |
| 20180131522 | Lawlis | May 2018 | A1 |
| 20190109716 | Mizoguchi | Apr 2019 | A1 |
| Number | Date | Country |
|---|---|---|
| 1964257 | May 2007 | CN |
| 108696411 | Oct 2018 | CN |
| 102014113111 | Mar 2015 | DE |
| 102015015361 | May 2016 | DE |
| 102017125826 | May 2018 | DE |
| 3432511 | Jan 2019 | EP |
| Entry |
|---|
| Office Action dated Dec. 13, 2019 from corresponding German Patent Application No. DE 10 2019 204 608.8. |
| International Search Report and Written Opinion dated May 18, 2020 from corresponding International Patent Application No. PCT/EP2020/058542. |
| Yang et al. “The Simeck Family of Lightweight Block Ciphers”, 2015, Springer-Verlag, Jun. 2015. |
| Werner Zimmermann et al. “Bussysteme in der Fahrzeugtechnik”, 2011, pp. 45-49 and 63-65, Praxis, Viewig & Teubner, ATZ. |
| “Specification of Secure Onboard Communication”, Autosar, 2000, Autosar CP Release 4.3.1; Document ID 654: AUTOSAR_SWS_SecureOnboardCommunication. |
| Wikipedia “Message Authentication Code”, 2019, https://de.wikipedia.org/w/windex.php?title=Message_Authentication_Code&oldid=184370514. |
| Bruce Schneier “Angewandte Kryptographie”, Protokolle, Algorithnen und Sourcecode in C, 1 Auflage, Addison-Wesley, Seite 67, 1996. |
| Office Action dated Nov. 29, 2023 from corresponding Chinese patent application No. 202080026594.7. |
| Number | Date | Country | |
|---|---|---|---|
| 20220191040 A1 | Jun 2022 | US |
