This disclosure relates generally to the field of network communications and, more specifically, to systems and methods for secure communication using shared communication media.
The Controller Area Network (CAN) bus communications standard provides a robust communication interface that is used in a wide range of applications including, but not limited to, automobiles and other transportation vehicles, building automation, industrial systems, robotics, and other fields that require communication between embedded digital devices using a shared communication medium. Many CAN bus embodiments employ two electrically conductive wires, which are referred to as CAN-High (CANH) and CAN-Low (CANL), and electronic devices, which are referred to as “nodes” use the CANH and CANL wires as a shared communication medium to transmit and receive data using a standardized data frame format. The CAN bus typically utilizes of a pair of shielded or unshielded twisted pair of cables as the physical medium for signal transmission.
During normal operation, the nodes perform a bus arbitration process when one or more nodes wish to transmit a data frame to ensure that only one node actually transmits data on the CAN-High and CAN-Low lines at a time to provide reliable communication without “collisions” that occur when two or more nodes transmit simultaneously. In the CAN bus standard, when transmitting the dominant bit ‘0’ on the bus, the output pins CANH and CANL are driven to different voltage levels, and the difference from CANH to CANL is the output of the CAN bus. Similarly, transmission of a recessive bit ‘1’ occurs when CANH and CANL are not driven and will have similar voltage levels. Because the CAN bus is a shared communication medium, every node that is connected to a CAN bus can read each bit of data that is transmitted through the bus. This property of CAN bus presents problems when two nodes wish to communicate data privately that cannot be understood by other nodes that are connected to the bus.
Recent advancements to CAN bus implementations include configurations in which two nodes that are connected to the CAN bus transmit bits of data simultaneously (to produce a collision intentionally) to exchange cryptographic key data in a manner that prevents third party nodes from being able to determine which of the two transmitting nodes is actually transmitting information that forms a part of the cryptographic key. In one part of these key exchange techniques, two nodes simultaneously transmit a logical 1 and a logical 0 signal, followed by simultaneous transmission of the logical complement of the original bits from both nodes, which produces a summed voltage differential between the CANH and CANL wires that can be detected by each of the attached nodes. However, while all of the devices that are attached to the CAN bus can detect the transmission of a dominant bit (logical 0) through the CAN bus, because the two nodes transmit simultaneously the other nodes that are connected to the CAN bus cannot determine which of the two nodes is transmitting the dominant 0 or the non-dominant 1 at any one time during the transmission sequence of the 0/1 bit followed by the logical complement, and only the two transmitting nodes do know which bit is being transmitted. The two nodes transmit the logical 0 and 1 bits and their logical complements in a randomized manner (if both nodes transmit a logical 00/11 sequence or logical 11/00 sequence then the transmission is ignored since those signals do enable third parties to determine the data transmitted from each node), which prevents other nodes connected to the CAN bus from detecting the identity of the node that transmits each bit. This operation, which is repeated many times and combined with other techniques that are not described in greater detail herein, forms the foundation to enable two nodes—and indirectly even larger groups of nodes—to exchange data that form the basis for shared cryptographic keys. After the nodes have exchanged cryptographic keys, those shared keys are used to perform data encryption and authentication/verification operations using techniques that are otherwise known to the art that enable different subsets of the nodes on the bus to exchange data that cannot be decrypted or altered in an undetectable manner by other nodes that are connected to the CAN bus.
As described above, nodes that are connected to the CAN bus with standard CAN bus transceivers can detect the voltage signals corresponding to logical 0 and 1 levels through the CANH and CANL wires of the CAN bus. When two nodes transmit a logical 0 and 1 simultaneously, the transceivers of most standard CAN nodes cannot determine which of the two nodes transmitted the logical 0 and 1. However, at a physical level the electrical signals that are transmitted through the CAN bus do not perfectly correspond to the logical 0 and 1 levels of digital logic that are described above because the physical components of the CAN bus and the nodes themselves have complex and different analog electrical properties. In some instances, an adversary, which is either a legitimate hardware node in the CAN bus that has been compromised by malicious software or an unauthorized hardware device that is electrically connected to the CAN bus, performs high-precision measurements of the properties of the electrical signals that are transmitted through the CAN bus in a manner that may enable the adversary to determine which node transmits the logical 0 and which node transmits the logical 1 signal in the process that is described above. In particular, since both nodes transmit a logical 0 and logical 1 in the randomized order for each bit exchange, the adversary can monitor signal characteristics of the dominant bit signal (the logical 0) that is transmitted from each node. The adversary can then reconstruct the secret data that is shared between the two nodes and compromise the security of the CAN bus system. This class of attacks is referred to as a side-channel attack because the adversary extracts information based on precise electrical signal measurements that are affected by the physical properties of the bus and the nodes that are connected to the bus in a particular CAN bus system even though the adversary has not defeated the logical protocol for cryptographic key exchange that is described above.
Consequently, improvements to methods and systems that reduce or eliminate the threats from these side-channel attacks would be beneficial.
The embodiments described herein include new methods to perform side-channel attacks against systems that utilize the simultaneous transmission of data between two nodes for key agreement through a shared communication medium such as CAN bus. The embodiments also include methods and systems that provide countermeasures to reduce or eliminate the ability of an adversary to determine which node transmits a logical 0 or 1 signal when two nodes transmit the signals simultaneously through the CAN bus even when the adversary is configured to physically probe the channel. These embodiments enable obfuscation of the voltage observed by an adversary with minimal circuit changes. The advantages of the embodiments described herein include, but are not limited to, techniques to protect devices that rely on simultaneous transmission of data bits to establish a private channel for cryptographic key exchange from voltage probing attacks and leakage. These schemes include utilize techniques such as changing network characteristics, enabling cooperation between nodes and voltage regulation circuits.
In one embodiment, a method of operating at least one node in a communication network that uses a shared communication medium has been developed. The method includes adjusting, with a controller in a first node, a resistance of a first potentiometer in the first node to a first resistance level that the controller in the first node determines randomly, the first potentiometer in the first node being connected to an output of a transceiver in the first node and to a shared communication medium, and transmitting, with the transceiver in the first node, a first data bit through the output that is connected to the shared communication medium with the first potentiometer producing the first resistance level.
In another embodiment, a method of operating a node in a shared communication network that provides voltage feedback to a shared communication medium has been developed. The method includes detecting, with a transceiver in the node, that a bit is being transmitted by another node through a shared communication medium that is connected to the transceiver, sampling, with a sample and hold circuit in the node, a voltage level in the shared communication medium while the bit is being transmitted by the other node through the shared communication medium, generating, with a differential amplifier, an output signal corresponding to a difference between the voltage level from the sample and hold circuit and a predetermined reference voltage, generating, with a summing amplifier and an inverting amplifier, a correction voltage level based on a sum of the output signal from the differential amplifier and a predetermined voltage level of a drive voltage source in the node, and transmitting, with the transceiver in the node, an output voltage to the shared communication medium based on the correction voltage level to drive the voltage level of the shared communication medium to the predetermined reference voltage while the bit is being transmitted by the other node through the shared communication medium.
In another embodiment, a method of operating a node that includes a plurality of transceivers that are connected to a shared communication medium has been developed. The method includes operating, with a controller in the node, a multiplexer to control a plurality of transceivers in the node to transmit a plurality of bits to a shared communication medium simultaneously, the controller selecting the bits for transmission randomly, wherein at least one bit is a dominant bit for transmission through the shared communication medium.
For the purposes of promoting an understanding of the principles of the embodiments disclosed herein, reference is now be made to the drawings and descriptions in the following written specification. No limitation to the scope of the subject matter is intended by the references. This disclosure also includes any alterations and modifications to the illustrated embodiments and includes further applications of the principles of the disclosed embodiments as would normally occur to one skilled in the art to which this disclosure pertains.
As used herein, the term “bit” refers to a binary value that can have one of two discrete values, which are typically represented as a “0” or “1” in text. Communication systems generate signals with different voltage levels, phases, or other signal characteristics that represent the two values of a binary bit during transmission of data. As is well-known to the art, digital data includes a series of one or more bits that can represent numbers, letters, or any other form of data and, in particular, a set of bits can form a cryptographic key. As used herein, the terms “logical complement” or “inverse” as applied to binary values are interchangeable and refer to a set of data or an operation that changes the values of each bit of binary data (e.g. the binary sequence “101” is the logical complement of “010”). As described in more detail below, a protocol for secure key exchange leaves different nodes with sets of corresponding bits for shared keys that are logical complements of each other. Selected sets of the nodes perform an inversion operation so that all of the nodes have the same shared key.
As used herein, the term “key” or “cryptographic key” refers to a sequence of bits that two or more nodes in a communication network use to perform cryptographic operations including the encryption and decryption of data and for authentication of transmitted data. A “shared key” refers to a key that is known to two or more nodes that communicate with each other but the shared key is not otherwise known to third parties, including adversaries. The methods and systems described herein enable two or more nodes in a communication network to generate a shared key that an adversary cannot identify even if the adversary can monitor any communication that occurs between the nodes and is capable of performing the side-channel attacks that are described herein. After the shared keys are generated, the nodes perform cryptographic operations that are otherwise well-known to the art and are not described in greater detail herein.
As used herein, the term “shared communication medium” refers to a physical network connection and network communication protocol in which multiple nodes transmit and receive data in a manner where any transmission from a single node is received by all other nodes that are connected to the shared communication medium. In a shared communication medium, two or more nodes can transmit data simultaneously. The shared communication medium is considered an “insecure” or “untrusted” communication channel because an adversary is assumed to have the ability to monitor any and all communications that occur through the shared communication medium.
Two non-limiting examples of shared communication media include the Controller Area Network bus (CANbus) network communication bus and protocol and the I2C bus. In both of these embodiments, all nodes that are communicatively connected to the shared communication medium can observe all signals that are transmitted through the communication medium, including signals that are not intended for receipt by a particular node. As described in more detail below, each node is a computing device that includes a transceiver configured to both transmit and receive signals through the shared communication medium to one or more additional nodes.
One class of side-channel attack is referred to in this document as a “voltage side-channel” attack that relies on precise measurements of the steady-state output voltages from different nodes in a CAN bus system to determine which node is transmitting a logical 0 or 1 when two nodes transmit data simultaneously using the techniques described above. The CAN bus system uses differential voltage for signals in which two nodes that transmit a logical 0 (high voltage) and logical 1 (low voltage) simultaneously, only one of the nodes produces a change in the voltage differential on the CANH and CANL wires. In most CAN embodiments, both the CANH and CANL wires are driven to a predetermined voltage level (e.g. 2.5V) by default and if the difference between the voltages on CANH and CANL is zero or within a predetermined operational threshold of zero then a transmissions is said to be “recessive”, which corresponds to a logical 1 and the nodes connected to the CAN Bus detect the logical 1 based on the zero or low voltage differential. If, however, a node transmits a logical 0 then the node drives the CANH wire to a higher voltage level above 2.5V and the CANL wire to a lower voltage level below 2.5V. The differential in voltage between the CANH and CANL is easily detected by other nodes that are connected to the CAN bus to detect the logical 1 and 0 signals.
As depicted in
In addition to voltage differences between nodes with different drive voltage levels, two transceivers with identical drive voltage levels can have different load resistances. Similar to the drive characteristics, this can lead to different voltages on the CANH and CANL lines when different transceivers are used. An adversary node utilizes this to identify the transmitter. For example, two embodiments of commercially available CAN bus transceivers are the MCP2551 and the TJA1040. The MCP2551 includes an operational load resistance to be 40Ω<RL<60Ω, whereas for TJA1040, the regulated load resistance is 45Ω<RL<65Ω. These differences cause a difference in transmission voltages that can help an adversary distinguish between the nodes.
Additionally, the differences between the locations of nodes along the CAN Bus and the location of the adversary node can produce potential leakage of information in a side-channel attack, even if the two CAN Bus transceivers operate with identical drive voltage and impedance levels. Even though the transmission characteristics of the two nodes are similar, an intermediate observer in the CAN bus, such as the adversary 124, may be able to detect differences in the signals due to the differences in the impedance of the network segment between the two transceivers and the intermediate location of the adversary. For a typical CAN bus scenario, several factors can contribute to these differences, such as different length of the wire connecting the two nodes to the adversary node, and different number of intermediate nodes, which cause identical signals transmitted by the two transceivers to be differentiable at such points. An adversary probing the bus at such points can thus identify the nodes when the nodes perform simultaneous transmission to exchange cryptographic keys as is described above.
For example, in the CAN bus network of
The information leakage described above occurs due to differences in the impedance characteristics, driver circuit and noise characteristics between different transmitters to a common observation point of the adversary node. This may stem from a variety of factors, and represents a fingerprint of a transceiver. The embodiments described herein minimize leakage to such an adversary. The information that the adversary can detect is obfuscate by controlled addition (or removal) of noise (or variability). In an ideal system, the distribution of the voltage observations due to any transmitting node should be similar, and the embodiments described herein provide several such countermeasures to achieve this goal. The different countermeasures require different degrees of change in existing bus architecture, and correspondingly, achieve varying degrees of leakage reduction.
As described above, an adversary node can use the different impedance levels of CAN Bus nodes as part of a side-channel attack to detect the identity of the CAN bus node that transmits each signal when two CAN Bus nodes operate simultaneously. One technique to reduce or eliminate this information leakage is to adjust the impedance levels of nodes in the CAN bus in an unpredictable manner so the adversary node cannot reliably detect the identities of the nodes that transmit data when two nodes transmit simultaneously to transmit private data for cryptographic key exchange.
The nodes 304 and 306 each include a countermeasure controller 310 that is operatively connected to two variable resistors (potentiometers) 320 and 324. In the embodiment of
In each of the nodes 304 and 306, the potentiometer 320 is electrically connected to the drive voltage source (326 in node 304 and 328 in node 306) and the transceiver 316. The potentiometer 324 is connected between the outputs of the transceiver 316, where the outputs connect the transceiver 316 to the CANH conductor 112 and the CANL conductor 116.
The potentiometers 320 and 324 include digital potentiometers that can be controlled by output signals from the countermeasure controller circuit 310 and are adjusted at a high rate of speed to enable efficient operation in the CAN bus system 300. While
In
During an operation in which two nodes transmit bits simultaneously to exchange secret data, the countermeasure controller 310 in each of the nodes 304 and 306 sets the resistance level of the potentiometer 320 in the node that transmits the dominant voltage level (e.g. the node that transmits the logical 0) to a randomly selected level within a predetermined resistance range. The predetermined resistance range is selected so that both nodes generate dominant signals at a voltage level that is within the operational range of both nodes. The resistance level of the potentiometer produces a reduction in voltage that the transceiver receives from the voltage source that increases as the resistance level of the potentiometer increases as is well known to the art, and the countermeasure controller 310 in each node is configured to adjust the resistance value of the potentiometer 320 differently based on the predetermined supply voltage level in each node and the operational voltage range of the transceiver. During simultaneous transmission operations, the countermeasure controller 310 in each of the nodes 304 and 306 randomly sets the value of the potentiometer 320 so that both nodes produce dominant output signals that are randomly generated within with voltage levels that are within a valid voltage range for CAN bus transmissions. Consequently, the nodes 304 and 306 are configured to reduce the ability of the adversary to perform the attack that is depicted in
In addition to the potentiometers 320, the nodes 304 and 306 of
In a high speed operating scenario, such variations can influence the robustness of the CAN bus and cause errors at the receivers. Consequently, during standard CAN bus operation the potentiometers 324 are disconnected from the transceiver outputs to enable the CAN bus to operate with nominal impedance. However, during the specific operations in which two nodes transmit data simultaneously to exchange cryptographic key data, the CAN bus can operate at a sufficiently low speed to enable the potentiometers 324 to adjust the effective load impedance while still enabling communication between the two simultaneously transmitting nodes while reducing or eliminating the ability of the adversary 124 to perform side-channel attacks. During operation the countermeasure controller 310 adjusts the potentiometer 324 in each of the nodes 304 and 306 to produce a randomly selected resistance level that adjusts the load resistance level.
Table 1 depicts voltage output levels on a CAN bus for different transceivers with varying levels of load resistance.
While Table 1 depicts ten distinct load resistance values for illustrative purposes, the countermeasure controller 310 can operate the potentiometer 324 to produce a much larger number of distinct load resistance levels within the predetermined operational load resistance range.
Different methods of operation of the nodes 304 and 306 in the system 300 reduce or eliminate the ability of the adversary 124 to identify the nodes that transmit the logical 0 and 1 signals when two nodes operate simultaneously by adjusting the effective load impedance in a randomized manner. The techniques include individual node resistance variation and group resistance variation.
In individual resistance variation, the countermeasure controller 310 in each node adjusts the resistance level of the potentiometer 324 in a random manner at least once per bit transmission including, for example, prior to and one or more times during the transmission of each bit as described above. The countermeasure controller 310 includes a memory or is connected to a memory that stores a pre-defined lookup table similar to Table 1 above that characterizes the voltage variations produced by different resistance levels. Since for a typical CAN scenario, the impedance of the network as observed by a transceiver would be similar, the profile can be used without tuning across CAN networks.
As described above, the nodes are configured to operate within a minimum and maximum voltage range VDmin≤VD≤VDmax. Each node i identifies a range of resistance values Rmini≤RLi<Rmaxi with suitable resistance levels that produce a desired voltage output for dominant bit (e.g. logical 0) transmissions. The countermeasure controller 310 in each node generates a randomly and independently sampled value that is selected using a uniform random distribution in one embodiment to generate a resistance value from the range: Di(Rmini,Rmaxi) where Di denotes the uniform random distribution of resistance values that also produce a randomly uniform set of output voltages. The resistance values that produce a uniform set of output voltages may not be purely uniformly selected because the potentiometer 324 is connected in parallel with other resistors the components of CAN bus itself and the effective resistance levels of the other nodes that are connected to the CAN bus, which means that the output voltage may not change linearly with changes to the resistance level of the potentiometer. In some embodiments, the countermeasure controller 310 uses a mapping between the resistance values and the effective output voltage levels to select resistance values that produce uniformly random variations in the output levels even if the resistance values are not selected with a uniform random distribution. The mapping is determined empirically and can be stored in a memory of the countermeasure controller 310 or another memory device in the node.
In group resistance variation, a group of the nodes that are connected to the CAN bus adjust the load resistance levels in a randomized manner to adjust the overall impedance level of the CAN Bus in a randomized manner so that even nodes that do not include the additional features of the nodes 304 and 306, such as the prior art node 108 of
In the group resistance configuration, the jammer nodes operate with a randomized potentiometer configuration that prevents the total impedance level of the CAN Bus from being altered to the point that communication through the CAN Bus becomes unreliable. This may limit the range of variation for the potentiometer setting in each individual node in the ‘jammer’ set. However, the collective influence of such variations can cause sufficient obfuscation for an adversary. In one example for a given number of M jammer nodes, each node can choose from only two distinct load impedances, and the collective variation results in 2M levels. However, realistically, due to similarities in impedance scenarios, the jammer nodes produce a smaller number of distinct impedance levels. However, this can be adjusted by choosing a distinct value of load resistances for each node and having 2M distinct levels for each of the nodes that are assisted by the jammer nodes.
Voltage Feedback Loops
In another embodiment, nodes in a CAN Bus are configured with voltage feedback hardware that enables the nodes in the CAN bus to reduce distinguishable differences in the voltage levels between two transmitting nodes to a point at which the adversary node cannot practically determine which node transmits a logical 0 or 1 when both nodes transmit data simultaneously followed by the transmission of the logical complements. This may be achieved by driving the bus lines to a shared reference value during transmission, i.e. regulating the CAN bus voltage. This can be implemented via a feedback mechanism that samples the bus output and drives the output to a common reference by adjusting the transmitter characteristics. Such a feedback mechanism, added to even a single node in a CAN bus network can drive the CAN Bus to a predetermined voltage level for both dominant transmission and non-dominant transmission bits to reduce the ability of the adversary to detect smaller inconsistencies in the transmitted voltage level s from different individual nodes that are connected to a CAN bus.
In the node 400, the sample and hold circuit 404 samples the voltage level from both lines of the CAN bus at a predetermined sampling rate that is fast enough to measure changes to the voltage levels in the CANH and CANL conductors of the CAN that occur during bit transmissions from other nodes in the CAN Bus.
The difference circuit 408 calculates the difference in the sampled voltage received from the sample and hold circuit 404 on the CAN bus line (in either CANH or CANL) with the reference voltage. The gain of the difference circuit is set depending on the configuration of the summing amplifier and inverting amplifier in Set VDD 412. In one embodiment, a differential amplifier implements the difference circuit although other circuit embodiments may implement the difference circuit as well.
The Set VDD block 412 is a voltage regulation circuit that, in one embodiment, includes a summing amplifier and an inverting amplifier that calculates a correction voltage to be generated by the transmitter 418 in the transceiver based on the output of the difference circuit 408 added to the value of the drive voltage source VDD (not shown) in the node 400. In one configuration the node 400 operates with a linear relationship between the drive voltage source and the peaks of CANH and CANL, and the Set VDD is implemented using the summing amplifier and inverting amplifier. The summing amplifier receives a reference voltage from the drive voltage source of the node 400 (5V in one embodiment) and the output of the difference circuit, and generates a sum of the inputs. The inverting amplifier inverts the output result from the summing amplifier to provide a feedback value for the node 400 to generate an output voltage that drives the detected sum towards zero. Note that in this case the gain of the difference circuit is same as the slope of the CANH/CANL vs. VDD curve. The node 400 includes a voltage source VDD (not shown in
The countermeasure logic device 410 is a digital logic device that is integrated with a CAN transceiver in the node 400 but can be a separate digital logic device in other embodiments. The countermeasure logic device 410 performs two functions. First, the countermeasure logic device 410 utilizes the current CAN bus level to detect when a bit is transmitted through the CAN bus. The CAN receiver 416 and decoder 420 provide a digital output for the CAN bus that enables the countermeasure logic device 410 to determine if a data bit, and a dominant voltage logical 0 data bit in particular, is being transmitted through the CAN bus. For scenarios where a bit is transmitted, the countermeasure logic device 410 provides the reference voltage level for stabilization, and the CAN transmitter 418 transmits at a voltage level corresponding correction voltage from the output of the Set VDD circuit 412 to provide the voltage feedback signal to the CAN Bus. The countermeasure logic device 410 maintains bit timing to ensure that the countermeasure voltage feedback signal is transmitted only for the duration of a single bit transmission through the CAN bus, where the duration is set by the transmission speed of the nodes that are connected to the CAN bus. Further, countermeasure logic device 410 maintains a sufficient gap between successive transmissions to allow the active nodes to transmit additional bit values on the CAN bus and for additional bit values to be correctly sampled by the receiver circuit.
As described above, the voltage feedback loop embodiment of
Using Multiple Transceivers for Signal Obfuscation
In another embodiment, a CAN bus system includes nodes that employ multiple transceivers either within individual nodes or between different nodes that are connected to the CAN bus to reduce or eliminate the ability of an adversary to conduct a voltage side-channel attack when two nodes transmit logical 0 and 1 bits followed by the transmission of the logical complements simultaneously through the CAN bus.
In the embodiments of
Table 2 depicts voltage output levels for simultaneous dominant bit transmissions from multiple transceivers, where the multiple transceivers may be in a single node as in
In addition to variation in the number of simultaneously transmitting sources, changing the total number of nodes that are connected to the CAN bus that act as sinks in a random manner varies the observation by an adversary. In the traditional setting, each node on the bus that is not transmitting acts as a sink, and this characteristic is used in “jammer node” embodiments described above with reference to
Table 3 depicts the voltage observations of the adversary for different states of the tri-state nodes. Using the tri-state operating mode with optional isolation of transceivers, the embodiments of
In one embodiment, the CAN controller 512 includes or is connected to a memory that stores one or more lookup tables with control values for each of the transceivers 516A-516C and the switches 518A-518C that encode the information depicted above in Table 2 and Table 3. To transmit a dominant bit, the CAN controller 512 selects an entry from the table randomly to control the simultaneous transmission of different bits from the transceivers 516A-516C. In the embodiment of Table 3, the CAN controller 512 also optionally disconnects one or more of the transceivers 516A-516C from the CAN bus by sending commands to the transceiver multiplexer 514 to open the switches 518A-518C based on the randomly selected entry from Table 3.
The systems described herein can operate in the following modes including a multiple transceivers per controller operating mode, a multiplexed transceiver per controller operating mode, and as helper nodes. These modes are each described in further detail below.
In the multiple transceivers per controller embodiment that is depicted in
In the multiplexed receivers per controller operating mode of
In the helper nodes operating mode, the addition of transceivers using the embodiments of
In passive assist, an idle node that does not need to observe signals on the CAN bus operates the switch to isolate its transceiver (i.e. the ‘X’ state), based on the output of a random number generator implemented in software or hardware in the CAN controller. Any node that includes a switch and control logic to electrically isolate the transceiver in the node from the CAN bus can perform the passive assist mode independently of the other nodes in the CAN bus.
In active assist, a node monitors the CAN bus by sampling the bus at a high frequency. If it detects a transition from recessive to the dominant state, it can choose to actively assist the transmitter randomly based on the output of a random number generator. Otherwise, the node performs the passive assist described above. In the active assist mode, a node assists the transmitter of the original signal by instantly transmitting the dominant signal for the remainder of the bit duration. For implementations of CAN bus in which a node is aware of the expected bus transmissions (e.g. group key scenarios in which more than two nodes perform a cryptographic key exchange process), the active assistance may be provided without sampling the bus, by simply transmitting a dominant signal during the predicted dominant bit periods.
The embodiments describe above for using multiple transceivers to reduce the ability of an adversary to perform voltage side-channel attacks are fully compatible with all of the other embodiments that are described above with reference to the nodes of
The embodiments described herein describe methods for voltage side-channel attacks against devices that transmit simultaneously using a shared communication medium such as CAN Bus in which the attacker can identify which node transmits a bit of data. The embodiments also describe systems and methods that reduce or eliminate the effectiveness of these attacks. These embodiments protect against adversaries that can physically probe the voltage characteristics of communication medium using high resolution equipment. Examples of systems that can use these methods include, but are not limited to, automotive systems (cars, buses, trucks, farm equipment, trains), industrial systems that use CAN bus, control panels for DC-electrical power distribution systems, and security systems that use CAN bus. The embodiments described herein protect against side-channel attacks that target voltage based features by an adversary that utilizes these features to extract secret key data exchanged by nodes that transmit logical 0 and 1 bits through a shared communication medium simultaneously. To mitigate these issues, one embodiment utilizes the dependence of the voltage on network impedance. A countermeasure controller adjusts the load impedance randomly over time to modify the voltage level that the adversary observes on the bus in an unpredictable manner. Another architecture includes a node that provides voltage feedback to regulate the voltage level seen on the CAN bus to a stable value that prevents the adversary from observing smaller variations in voltage levels that could be used to identify specific nodes that transmit particular bits of data. Another embodiment includes multiple transceivers that can change the voltage level observed on the bus in a randomized manner to obfuscate the voltage signals that an adversary observes adversarial in the shared communication medium, including a single node configured with multiple transceivers, groups of nodes that multiplex the transmission of data from multiple transceivers, and nodes that cooperate with one another.
It will be appreciated that variants of the above-disclosed and other features and functions, or alternatives thereof, may be desirably combined into many other different systems, applications or methods. Various presently unforeseen or unanticipated alternatives, modifications, variations or improvements may be subsequently made by those skilled in the art that are also intended to be encompassed by the following claims.
This application claims the benefit of U.S. Provisional Application No. 62/468,705, which is entitled “Method to Mitigate Voltage Based Attacks on Key Agreement over Controller Area Network (CAN),” and was filed on Mar. 8, 2017, the entire contents of which are expressly incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
62468705 | Mar 2017 | US |