Implementing Scalable CAN Security with CANcrypt - CANcrypt functionality
Editor’s Note: Advanced vehicles present multiple threat surfaces and demonstrations of vulnerabilities continue to generate headlines. Among those vulnerabilities, the standard CAN bus has been a favorite point of entry, enabling access to the diverse digital control systems within newer vehicles. With the next generation of connected vehicles, the need for secure networking within vehicles becomes even more urgent as more diverse wireless connectivity options in vehicles present even more options for unauthorized access to vehicles and their control systems. In the book, Implementing Scalable CAN Security with CANcrypt, Olaf Pfeiffer offers a vitally needed improvement on the conventional CAN protocol.
Adapted from Implementing Scalable CAN Security with CANcrypt, by Olaf Pfeiffer (Embedded Systems Academy), 2017.
3 CANcrypt functionality
The first proof-of-concept implementations of CANcrypt were done on multiple NXP LPC17xx devices and a PC with a PEAK PCAN driver interface. Demo code is available for download at www.esacademy.com/cancrypt.
With CANcrypt, we offer a framework to handle both authentication and encryption of CAN messages. As there is some message overhead, the CANcrypt security features should be used only by a limited number of devices (the current version supports up to 15 devices) and only for selected messages (selected by CAN message ID). Depending on the chosen security level, encryption may be used not only on entire messages but also on selected bytes.
Security features are based on shared symmetric keys. There is a group key for all devices participating in the secure communication and a pairing key for secure channels between two devices. The secure pairing channel has a higher security level for use in system configuration or especially sensitive point-to-point connections such as bootloader communication.
The CANcrypt pairing mode connects a CANcrypt configurator with a CANcrypt device and provides a secure communication channel supporting both authentication and encryption.
Secure messages are transmitted in pairs, first a preamble message that contains security configuration details and a signature followed by the message with the data.
The dynamic pairing key used between paired devices is continuously updated by introducing new bits generated as described in section (2.2.1 “The bit-generation cycle”). The update frequency is configurable.
SECURE CHANNELS IN A CAN SYSTEM
The CANcrypt grouping mode establishes a group of secure devices. In this mode, every device produces a secure heartbeat. The dynamic grouping key is updated based on random values in the heartbeats. No other messages use security features.
All grouped devices monitor the network for manipulations (injections, collisions in the data field) and stop producing the secure heartbeat on detecting such a manipulation.
Receiving a secure heartbeat indicates that all previous messages from the transmitting device are authentic – otherwise the device would not have produced the secure heartbeat.
Note: due to application specific delays in drivers and buffers it might be necessary to wait for two following secure heartbeats before considering a message authenticated.
AUTHENTICATED GROUPING IN A CAN SYSTEM
3.2 Basic functionality
In this section, we outline the basic functionality provided by CANcrypt. This includes generation and updates of keys, generation of the one-time pad, and the generation and evaluation of the secure message pair.
3.2.1 Key management and key hierarchy
Security systems require keys. Security keys require management. Who keeps a copy of which key where? Does a manufacturer need to keep a copy of each individual key of every product ever produced? Which keys does a system builder or integrator need access to?
To support multiple keys at different security levels (for example for the manufacturer, system integrator, and owner of a system), CANcrypt implements a key hierarchy of up to six keys. Each of these keys has a key ID, and the higher the value for a key ID, the higher the security level.
Keys can never be read from a CANcrypt device. They can only be erased or newly generated. To erase a key, a configurator must establish a direct secure connection (active pairing) to a single device based on one of the stored keys. Once the devices are paired, the configurator can erase keys of the same or lower hierarchy level only.
In summary: once a key is generated and saved, it can only be erased and regenerated if paired based on a key of the same or higher security level.
KEY SELECTION FROM KEY HIERARCHY
The pairing process requires one permanent key and may also involve an optional serial number as illustrated in the figure above, “Key selection from key hierarchy”. This method allows a manufacturer to use the same base key in multiple devices. As pairing (establishing a secure channel) may also involve the serial number, a service or maintenance login could still be device specific.
3.2.2 Updating the shared dynamic keys
The dynamic key gets continuously updated following a fixed time scheme. Depending on the configuration, typical update cycle times are 500 ms, 1 s, or 2 s.
For a single pair of devices, a single new bit is generated randomly, imitated by the configurator. With multiple devices, the secure heartbeat is used to introduce new random values to by all participants.
DYNAMIC KEY GENERATION WITH SHARED RANDOM NUMBERS
As part of the secure heartbeat, all participating (grouped) devices exchange encrypted random numbers. These shared random numbers are used to generate a new synchronized shared key as illustrated in the figure above. Up to 15 devices can actively participate in this mechanism.
This dynamic key is re-generated with every secure heartbeat cycle.
In paired mode (only two devices involved), the random-bit-generation cycle is used to introduce new bits to the shared dynamic key.
ADDING A NEW BIT TO THE DYNAMIC KEY
The new bit or bits get shifted into the dynamic key (shift right). This is done in parallel by both paired devices as illustrated in the figure above, “Adding a new bit to the dynamic key”. The figure below, “New bit is shifted in”, shows the new dynamic key now used by the devices. This updated key is now used for future pseudo one-time pad generations until a new bit gets introduced.
NEW BIT IS SHIFTED IN
Even if the key update is executed by all CANcrypt devices in parallel, a secure message might still be received using the previous key. Therefore all devices must keep a copy of the previous dynamic key to decrypt and authorize messages that still use the previous key until the key update has been executed by all nodes.