Patent Application
20180131524
The present disclosure relates to securing information exchanged between internal and external entities of connected vehicles.
Recent advances of in-vehicle technology have paved a way to connect vehicles to the external world. Car makers are adding various connectivity and telematics solutions for passenger and fleet vehicles. They have also introduced solutions that either use an embedded modem or connect to the Internet via the driver/passenger's cellphone (e.g., GM OnStar, Ford Sync). Besides, fleet solution providers offer solutions attachable to the vehicle's on-board diagnostics (OBD2) port (e.g., Delphi Connect and Zubie). As a result, in-vehicle networks are being connected to an external communication channel for remote diagnostics and remote triggering of on-board functions.
Externally connected devices collect in-vehicle data from, and inject messages into in-vehicle networks. A controller area network (CAN) bus—the de facto in-vehicle network—is connected to an outside network via external interfaces, such as 3G/4G, WiFi and Bluetooth. The device between internal and external networks is called an external interface ECU, or simply a gateway.
Car manufacturers do not want to expose their intellectual assets via vehicle connectivity since their in-vehicle message semantics are usually proprietary. Thus, the gateway translates in-vehicle data to rich type data (e.g., JSON, XML), concealing their proprietary data inside the vehicle.
However the gateway may be compromised and then become a potential threat to vehicle safety and security. That is, since the transmission from and to an external entity relies entirely on the gateway, the communicated data becomes untrustworthy once the gateway is compromised. For example, the compromised gateway can make incorrect translation of, or drop/delay messages, and hence it is referred to as “bogus interpreter problem.”
Existing communication models only consider the communication security between the vehicle's gateway and an external entity by applying a network security layer, such as transport layer security (TLS). There have also been various efforts to provide cyber-vehicle security, but they still lack support for secure data exchange between internal ECUs and external networks.
In this disclosure, a secure communication protocol is presented for exchanges between internal ECUs and external devices. The proposed protocol includes the translation and security of end-to-end communication between an external entity (e.g., the car maker's server) and in-vehicle components that cannot be achieved with a naïve approach such as TLS, mainly because the in-vehicle bus (e.g., CAN) and in-vehicle controllers are severely resource-limited. The proposed protocol is shown to be resilient against the message forgery and drop by a compromised gateway.
This section provides background information related to the present disclosure which is not necessarily prior art.
This section provides a general summary of the disclosure, and is not a comprehensive disclosure of its full scope or all of its features.
A method is presented for exchanging data between a vehicle and an entity external to the vehicle. One aspect of the method is implemented by a gateway in the vehicle. The method includes: receiving a message broadcast by a sending controller residing in the vehicle, where the message includes a message identifier, payload data and a message authentication code such that the message identifier and the payload data are in a format defined by vehicle manufacturer and the message authentication code is generated by the sending controller using a content key shared between the sending controller and the external entity; extracting the message identifier and the payload data from the message; translating the message identifier and the payload data from the format defined by the vehicle manufacturer to an open format, where the open format differs from the format defined by the vehicle manufacturer; constructing another message for transmission to the external entity, where the another message includes the translated message identifier, the translated payload data and the message authentication code; and sending the another message via an external network to the external entity. Constructing the another message includes generating another message authentication code by hashing the payload data and an external sender key, where the external sender key is shared between the gateway and the external entity. The another message authentication code is preferably comprised of sixty four or more bits.
In another aspect, the gateway handles an incoming message from an entity external to the vehicle. The method includes: receiving an incoming message sent from an entity external to the vehicle, where the incoming message includes a message identifier, payload data and a message authentication code such that the message identifier identifies a recipient controller in the vehicle and the payload data formatted in accordance with an open format and the message authentication code is generated by the external entity using a sender key shared between the gateway and the external entity; extracting the payload data and the message authentication code from the incoming message; generating a message authentication code using the payload data and the sender key which is known to the gateway; and comparing the extracted message authenticated code to the generated message authentication code When the extracted message authentication code does not match the generated message authentication code, incoming message is discarded. On the other hand, the incoming message is processed further when the extracted message authentication code matches the generated message authentication code. Further processing of the incoming message includes: decrypting the incoming message using the sender key; translating the message identifier and the payload data from the open format to a format defined by the vehicle manufacturer; generating a new message authentication code by hashing the translated message identifier and the translated payload data; and broadcasting a new message on the vehicle network, where the new message is of the translated message identifier, the translated payload data and the new message authentication code.
In one embodiment, the message is broadcast over the vehicle network in accordance with Controller Area Network message protocol and the open format is further defined as one of JavaScript Object Notation or Extensible Markup Language.
Further areas of applicability will become apparent from the description provided herein. The description and specific examples in this summary are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.
The drawings described herein are for illustrative purposes only of selected embodiments and not all possible implementations, and are not intended to limit the scope of the present disclosure.
E that G transmits to ε over external networks at a time.
Corresponding reference numerals indicate corresponding parts throughout the several views of the drawings.
Example embodiments will now be described more fully with reference to the accompanying drawings.
Automotive systems are real-time systems, equipped with various controller or electronic control units (ECUs) which are interconnected via wireline serial data networks, such as Controller Area Networks (CAN), Local interconnect network (LIN), and FlexRay. CAN has become the de facto standard for in-vehicle communications due to its low cost and widespread deployment. While reference is made to CAN throughout this application, it is readily understood that the concepts presented herein extend to other types of serial network protocols.
In-vehicle networks use the multi-master model. Every frame is broadcast on the bus, and every controller (e.g., ECU) listens to it and grabs only relevant frames by comparing their IDs (i.e., the arbitration field in each frame) with those stored in the message/frame filter. CAN allows up to 64 bits for data and provides a 16-bit CRC field (with a 1-bit CRC delimiter) to check the integrity of each received frame as seen in the frame format shown in
The vehicle connectivity requires knowledge of CAN data for its intended use, forcing car makers to seek ways to make the data available without exposing its proprietary information to unauthorized entities. In addition, there is a large gap between in-vehicle and external networks, such as IP-based networks. In one approach, car makers deploy ECUs with external interfaces as a gateway (GW) to communicate with the external world.
Two ways of utilizing the internal vehicle data while concealing the original format are encapsulation and translation. Encapsulation is commonly used in computer networks. The original data is masked until the authorized entity receives it. Message encryption is an example of encapsulation. However, encapsulation is difficult to use for the case when an entity wanting to use the data is not authorized to know the original CAN raw data. Usually, a large number of cars from various car makers are on the road. Thus, data translation is considered as a practical solution, converting the original data format to another. However, there is a serious security risk in data translation which is commonly referred to as “bogus interpreter problem”.
Since the gateway is the conduit to external networks, it can be the primary target by the cyber attackers. Referring to
To prevent the bogus interpreter problem, the security architecture needs to meet the following design requirements. First, the receiver ECUs must be able to determine if messages in in-vehicle networks are from a valid sender ECU. Second, when messages are transmitted through the gateway, the receivers, external entities or ECUs should be able to determine their validity. Third, either ECUs or external entities should be able to determine if messages are properly communicated to the intended receivers through the gateway.
The gateway first receives at 51 a message broadcast on the vehicle network by a sending controller. The message includes a message identifier, payload data and a message authentication code, such that the message identifier and the payload data are in a format defined by vehicle manufacturer and the message authentication code is generated by the sending controller. The message authentication code is generated by the sending controller using a content key shared between the sending controller and the external entity. Within the proposed system model, these data types are shown in
→
→
Upon receipt of the message, the gateway in turn extracts 52 the message identifier and the payload data from the message and translates 53 the message identifier and the payload data from the format defined by the vehicle manufacturer to an open format, where the open format differs from the format defined by the vehicle manufacturer. Example open format include but are not limited to JavaScript Object Notation (JSON) and Extensible Markup Language (XML). The format need not be open so long as it differs from the proprietary format defined by the vehicle manufacturer. An example data translator is illustrated in
Next, the gateway constructs 54 a new message for transmission to the external entity. The new message includes the translated message identifier, the translated payload data and the message authentication code received from the sending controller. Lastly, the new message is sent by the gateway via the external interface to the external entity. It is to be understood that only the relevant steps of the data exchange are discussed in relation to
This approach is built upon the following assumptions. First, the data exchange ECU and the gateway are equipped with cryptographic computation capabilities, as specified in the AUTOSAR (Automotive Open System Architecture) standards. Internal ECUs are trusted, as they are located inside of the vehicle, and are seldom changed and their access is limited during the vehicle's operation life. Physical hardware modifications are not considered in this disclosure. A trusted third party issues keys and has the knowledge of both in-vehicle data and common types, e.g., car makers know raw CAN data and its JSON translation.
Further description for an example embodiment of the data exchange protocol is set forth below. The data exchange, however, relies upon pre-distribution of keys and setup of a secure channel. A trusted third party (TTP) issues keys with different lifetimes to each entity. An example of a secure channel setup model is briefly described below. Further details regarding this secure channel setup model can be found in K. Han et al's article “On authentication in a connected vehicle: Secure integration of mobile devices with vehicular networks” Proceedings of ICCPS 2013, pages 160-169, April 2013 which is incorporated herein by reference.
Suppose ECU j in the in-vehicle network, where 1≤i,j≤n, i≠j, and n is the number of ECUs with a security function. At first, the TTP randomly selects two long-term secret keys lki,j and lkiI, where lki,j is a shared key between
i and
j, and lkiI is a seed key for secure communication with the gateway. The TTP then deploys lki,j and lkiI in
i during vehicle manufacturing. This stage is assumed secure, which is reasonable and easy to achieve.
For the gateway to communicate
1, TTP first randomly selects rg and generates a timestamp TSg, a midterm secret key mk1I and a certificate cert1g where mk1I=KDF(lk1I|rg and cert1g=h{lk1I, rg|TSg}, KDF is the key derivation function, and h{k, m} is a MAC for message m with key k. For the other ECU Ui, the TTP generates mkiI and certig and also randomly selects mkE for communications with external entities.
receives rg, TS9, a key set MKI, a certificate set CERTg, and a key mkE from TTP during the installation stage, where MKI={mkiI|0≤i≤n}, CERTg={certig|0≤i≤n}. This stage is also assumed to be secure.
Suppose an external entity E wants connection to the vehicle, thus requesting keys from the TTP. Upon receiving the request from ε, the TTP first randomly selects re and a timestamp TSe. Then, it generates a key set SKI and a certificate set CERTI, where SKI={skiI|1≤i≤n},CERTI={certiI|1≤i≤n}, skiI=KDF(mkiI|re), certiI=h{lkiI, re|TSe}. The TTP also generates a secret key skE and a certificate certE, where skE=KDF(mkE, re), and certE=h{mkE,ε|re|TSe}.
Secure channel setup secures communications between internal ECUs and the external entity, secure channels between internal ECUs and the gateway over the in-vehicle network, and between the gateway and the external entity over an external network.
Let each i only accept idiI and also idoI. When the gateway
is attached to the vehicle for the first time,
broadcasts authentication requests to the in-vehicle network as follows.
First, broadcasts 64-bit rg and 32-bit TSg with idoI to CAN bus. Then,
broadcasts n 64-bit certificates certig with each idiI to CAN bus. Since a modern vehicle is equipped with 70-100 ECUs, and
may broadcast 72 to 102 CAN frames on the bus, each
i may receive three values: rg, TSg and certig. After verifying rg and TSg with certig, each
i generates mki* where mki*=KDF{lkiI,rg} and mki*≡mkiI. Note that mki* is valid until TSg expires.
Unlike the in-vehicle network, assume external networks support two-way communications. Let an external entity ε attempt connection to the gateway . Then, ε randomly selects a nonce r1 and generates a challenge chal, where chal=enc(skE,r1|h{ri}), and enc(k,m) denotes a function enc that encrypts a message m with key k, ε then sends chal with re, TSe and certE to
.
After verifying certE, generates sk* and decrypts chal with sk*.
then randomly selects r2 and generates the response res, where res=h{sk*,
|ε|re|r1|r2}.
sends r2 and res to ε.
After verifying res, ε generates a session key ske, where ske=KDF{skE,re|r*}. ε also generates the conformation con=h{ske,ε||r*|re}, and sends con to
.
also generates ske, and verifies con. If con is verified, then
stores skE until TSe expires, and uses ske as a session key.
Upon receiving CERTI from ε, broadcasts CERTI as follows: First,
broadcasts 64-bit re and 32-bit TSe with idoI to CAN bus. Then, it broadcasts n 64-bit certiI to each
i. Optionally,
also broadcasts n 64-bit proofi to each
i, where proofi=h{mki, re|TSe|certiI}.
checks proofi and certiI, and then derives skiI. Other schemes for setting up a secure channel are contemplated by this disclosure and fall with in the broader aspects of this disclosure.
By way of background, in-vehicle communication between ECUs is shown in
, 1 ≤ i ≤ n, at frame count γ do
for idjI, 1 ≤ j ≤ n, i ≠ j
← h{lki,j,
}
,
to CAN bus
do
is valid then Accepts
Prior to sending the new message, the gateway may encrypt the new message at 83, for example using a secret key shared between the gateway and the external entity. In an example embodiment, the new message is encrypted using encryption algorithms such as AES (Advanced Encryption Standard). Additionally, the encrypted message may be hashed at 84 along with the shared secret key to generate a second message authentication code for the new message. In some embodiments, the size of the messages sent by the gateway to the external entity is larger than the message packets transmitted in the vehicle network. In this case, the gateway may append multiple messages together (e.g., see lines 6-8 of Algorithm 2) before sending a message to the external entity. To prevent modification of the message by a compromised gateway, the size of the appended message authentication codes is 64 bits or larger. That is, when the message authentication codes, γI, from the multiple messages are appended together, the number of bits is preferably 64 or larger. For example, when the message authentication code for a CAN message is 16 bits, then four messages are preferably appended together by the gateway (i.e., 16×4=64 bits). When the message authentication code for a CAN message is 8 bits, then eight messages are preferably appended together by the gateway (i.e., 8×8=64 bits). Lastly, the new message is sent at 85 by the gateway to the external entity.
An example algorithm for extracting messages by the gateway from the vehicle bus is set forth below.
do
} ← TF (idjI,
)
|
}
,
= [mγ|1 ≤ γ ≤ K}
)(Encryption)
← h{ske,
| ε |
}
, ε , CE,
to ε
The external entity may also verify the authenticity of the message content. The external entity, however, is not likely privy to the format of the vehicle manufacture and its proprietary protocols. Therefore, the external entity sends the decrypted message to the trusted third party which has been entrusted with the proprietary protocols of the vehicle manufacturer. The trusted third party can in turn validate the message authentication code (i.e., MAC1) which was derived using the content key shared between the sending controller and the external entity (e.g., see lines 10-17 of Algorithm 3). When the derived message authentication code matches the message authentication code extracted from the message, the content of the message has also been verified and the external entity is notified by the trusted third party. In this case, the external entity can proceed to process the message content. In some instance, the derived message authentication code does not match the message authentication code extracted from the message, for example if the gateway has been compromised. In these instances, the external entity is notified by the trusted third party and the message is discarded and/or other corrective action taken (e.g., shutting down the gateway).
An example algorithm for verifying data at the external entity is set forth below.
← h{ske,
| ε |CE}
≡
then
by decrypting CE
to TTP
from ε then
← TF−1(
)
← h{lki,j,
}.
≡
, where 1≤γ≤K then
Collectively, these methods provide a method for communicating information from the vehicle bus via a gateway to an external entity.
Conversely, an external entity may send a request for information to the gateway. In this case, the external entity sends a request to the gateway as described in relation to
After receiving the certificate, the external entity encrypts the data request at 101 using the certificate and a secret key shared between the gateway and the external entity. The external entity also generates a message authentication code at 102 by hashing the message content along with the shared secret key. The data request, along with the message authentication code, is sent at 103 by the external entity to the gateway. An example algorithm for sending the data request is set forth below.
for idiE
← TF−1(
)
}
← h{ske, ε |Ce}
to
The gateway in turn relays the data request to the intended ECU as shown in
An example algorithm for relaying the message to an intended ECU is set forth below.
do
,
then
← h{ske, ε |Ce}
≡
then
certit} ← dec{ske, Ce}
} ← TF−1 (idiE,
)
← h{mkiI, idiI| certit|
}
, certit,
do
and cert1t
and cert1t are valid then
Handling of the message received by the intended ECU is also described in the algorithm above (e.g., see lines 13-20).
Upon receiving a valid request, an ECU sends the requested data via the gateway back to the external entity. An additional message authentication code (Ag) is included in the reply message but otherwise the formulation of the reply message is substantially similar to the steps described in relation to Algorithm 1 (e.g., see lines 2-9 of Algorithm 6). The gateway in turn sends the message to the external entity. Assuming the additional message authentication code is valid, the message payload is translated from the format defined by the vehicle manufacturer to the open format. Along with a session key, the translated message identifier, the translated message payload and the message authentication code for the ECU are encrypted and a new authentication code is generated using the encrypted message. The encrypted message and the new authentication code are finally sent to the external entity. An example algorithm for relaying the message to an intended ECU is set forth below.
do
← h {lkI|
}
← h{mkI|
|
}
,
,
to CAN bus
do
is valid then
← TF(
)
)
← h{ske, CE}
to ε
Security of the proposed protocol was evaluated in relation to combatting a compromised gateway, or the bogus interpreter. Suppose the compromised gateway Advg attempts to forge the communication messages between i and
j and sends a bogus message to an external entity or to an internal ECU, or issues unauthorized/garbage messages to
i or even drop/delay messages.
Advg can proceed with fake translation of the in-vehicle data I to
F,E. To succeed in this attack, Advg generates AF,I, AF,I≡A*,I without knowledge of lki,j where A*,I ≡h{lki,j,
F,E}. While Advg sends a set of message
E and a set of MACs AE, Advg has to generate
AF,Is. For example, compromising 64 different 3-bit AF,I's is difficult to break 160 bit SHA-1, making the attack infeasible.
Advg may forge the information from E and send the fake translation F,I to
. To mount this attack, Advg has to generate a 16 or 32-bit certF without knowing lkiI, where certF≡certit and certit=h{lkiI|
F,I}. Thus, this attack is practically infeasible.
Advg may attempt to generate and send fake information to i. In this attack, Advg can generate the fake message
F,I and certF. However, as in the previous case, Advg also has to generate certF without knowing lki,j, making the attack practically infeasible.
Advg may attempt to drop messages between ε and i. Although internal ECUs cannot notice whether Advg dropped messages or not, ε can notice if the attack is mounted. For example, ε has a rule that it receives messages from
periodically, or receives response upon request within a certain time.
Since CAN data are proprietary for car manufacturers and hence unavailable, a CAN frame format, called RTCL-CAN, was designed based on the public information made available by Ford Motor Company. Table 2 lists the CAN frame definitions of RTCL-CAN. RTCL-CAN defines 19 types of information including steering wheel angle, torque at transmission, engine speed, and so on.
Each data in RTCL-CAN can be translated to/from JSON by the gateway and TTP using TF and TF−1. An example of this translation is illustrated below. As shown in Table 2 above, a frame for controlling the transmission gear position has CAN ID 0x06 and 4-bit data. It has 8 different states as shown in Table 3. Note the translation rule in this table is only for illustration, and the actual rules are proprietary to vehicle manufacturers and hence unavailable.
i, SOF and EOF fields are fixed, and RTR is also set to ‘0’ for a data frame. ID ‘00000000110’ indicates that the frame is for the transmission gear position. Data field contains ‘0110’ and MAC.
converts
I to the translated format
E.
translates the data with ‘transmission-gear-position’, ‘sixth’ using Table 3 and AI.
When ε sends a command {{transmission-gear-position}, {neutral}} to ,
translates it to ‘0x006’ and ‘0000’. Since CAN only provides up to 64 bits of data, it is not possible to assign a full-size MAC; for example, HMAC with SHA-1 generates 160-bit hash outputs. Thus, truncated MACs are assigned for CAN, e.g., AγI or A9. Two types of MAC as shown in
In-vehicle communication overhead of the protocol is evaluated for different sizes of MAC 1. The overhead of MAC 2 is the same as other general models.
While the above results shown that assigning 1-bit MAC 1 provides the best performance, one also has to consider the external communication overhead. The size of set E, is determined based on the size of MAC 1. The size of MAC is recommended to be more than 64 bits to achieve the practical security strength. Thus, assigning 1 bit for MAC 1 requires 64≤n at a time. For example, RTCL-CAN generates 82 messages per second and approximately an 8.2-Kbyte message can be transmitted at a time over external networks. The probability of Advg's success in compromising RTCL-CAN is ½82 with 1-bit MAC 1. However, sending large-size
E could degrade performance, since ε discards the entire set of messages even when one of many messages transmitted over the external network is found to have been compromised.
In contrast, assigning a larger-size MAC 1 (AγI) reduces potential transmission overhead over the external network, although it incurs slight performance degradation in CAN.
E.
The bit assignment depends on the underlying network environment. For example, implementing CAN-FD or FlexRay allows more bits for MAC 1. Also, implementing fastener technologies such as LTE, LTE-A as external networks supports larger E.
Urban areas generally have better network connectivity, so assigning a smaller MAC in each CAN frame will preserve the performance of the in-vehicle network. In contrast, rural areas may only support poor connectivity, so assigning a larger MAC could preserve the performance in external networks.
The computation overhead is a critical issue to powertrain control systems and SAE specifies 1 ms as an allowable delay for safety-critical control systems. In the proposed protocol, Ui only needs 2 hash computations (2H) to authenticate a message Ui generates AI and Ag, and verifies cert and AI. Thus, we evaluated the overheads on two industry-use processors; 32-bit MIPS (Chipkit MAX32) and ARM Cortex M3 (LPC1768) as Ui by implementing the HMAC-SHA1 function. The time for 2H only takes about 460 μs 45 μs and which is far below the 1 ms requirement.
Some portions of the above description present the techniques described herein in terms of algorithms and symbolic representations of operations on information. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. These operations, while described functionally or logically, are understood to be implemented by computer programs. Furthermore, it has also proven convenient at times to refer to these arrangements of operations as modules or by functional names, without loss of generality.
Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as “processing” or “computing” or “calculating” or “determining” or “displaying” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system memories or registers or other such information storage, transmission or display devices.
Certain aspects of the described techniques include process steps and instructions described herein in the form of an algorithm. It should be noted that the described process steps and instructions could be embodied in software, firmware or hardware, and when embodied in software, could be downloaded to reside on and be operated from different platforms used by real time network operating systems.
The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored on a computer readable medium that can be accessed by the computer. Such a computer program may be stored in a tangible computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus. Furthermore, the computers referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
The algorithms and operations presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may also be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatuses to perform the required method steps. The required structure for a variety of these systems will be apparent to those of skill in the art, along with equivalent variations. In addition, the present disclosure is not described with reference to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present disclosure as described herein.
The present disclosure is well suited to a wide variety of computer network systems over numerous topologies. Within this field, the configuration and management of large networks comprise storage devices and computers that are communicatively coupled to dissimilar computers and storage devices over a network, such as the Internet.
The foregoing description of the embodiments has been provided for purposes of illustration and description. It is not intended to be exhaustive or to limit the disclosure. Individual elements or features of a particular embodiment are generally not limited to that particular embodiment, but, where applicable, are interchangeable and can be used in a selected embodiment, even if not specifically shown or described. The same may also be varied in many ways. Such variations are not to be regarded as a departure from the disclosure, and all such modifications are intended to be included within the scope of the disclosure.
This application claims the benefit of U.S. Provisional Application No. 62/418,315, filed on Nov. 7, 2016. The entire disclosure of the above application is incorporated herein by reference.
| Number | Date | Country | |
|---|---|---|---|
| 62418315 | Nov 2016 | US |
