Professional Documents
Culture Documents
04-1
iCC 2015 CAN in Automation
04-2
iCC 2015 CAN in Automation
III. Review: Security for CAN Networks complexity as well as the comparatively
large amounts of data that have to be ex-
The protection of the integrity of a message
changed between two nodes in order to set
and the assurance of the authenticity of its
up a (secure) symmetric key. Besides, it
sender should generally be among the top
should not be forgotten that the security of
security goals in CAN-based networks as
the Diffie-Hellman key exchange relies only
CAN is widely used for controlling physical
on the difficulty to efficiently solve the dis-
systems or processes with a potential direct
crete logarithm problem on finite fields or el-
impact on safety. Therefore, unauthorized
liptic curves using state-of-the-art methods.
manipulations have to be prevented or they
Therefore, the approach may become inse-
should at least be detectable. Confidential-
cure from one day to the other if adequate
ity, in contrast, is considered to be only of
progress is made in this respect. This could
secondary importance and may be useful
be the advent of a high performance quan-
for making it harder for an attacker to learn
tum computer, for example.
the current system state or for delivering
critical software updates, for example. In the next section, we therefore propose a
novel approach for establishing symmetric
In principle, all these security goals could
cryptographic keys between two nodes (or
be achieved in exactly the same way as in
to be more precise: an approach for estab-
the conventional IT world (e.g., using digital
lishing a shared secret, based on which
signatures, message authentication codes,
symmetric keys can be derived), whose se-
etc.), but for optimal performance the spe-
curity does not rely on hard mathematical
cific constraints of CAN-based networks
problems, but rather on physical properties
should be properly taken into account. This
of the CAN bus. Furthermore, it has an ex-
includes things like the limited data rate and
tremely low complexity, low bandwidth re-
message sizes, for example, as well as the
quirements and may be readily imple-
limited computational power and memory of
mented in practical systems. Finally, it may
many CAN devices. Therefore, in [6] and [7]
also be used for efficiently refreshing al-
several security mechanisms specifically
ready established keys, thus making it a
optimized for CAN have been proposed,
very useful and promising building block for
which take these specific constraints into
future secure CAN networks.
account. In this regard, symmetric crypto-
graphic schemes turn out to be the basis for
most of the proposed schemes due to their
IV. CAN-Based Key Establishment
limited computational complexity and band-
width requirements. The use of symmetric The basic idea of our approach is that Alice
cryptography, however, requires the availa- and Bob agree on a shared secret / key by
bility of symmetric (i.e., identical) keys at means of a public discussion using stand-
the involved nodes and the distribution / es- ard CAN messages. In particular, both
tablishment of these keys represents a ma- nodes simultaneously transmit appropriate
jor challenge. Possible options include a CAN frames, so that Eve is only able to see
manual distribution of keys, e.g., at the end the superposition of both messages, with-
of a production line. This, however, involves out knowing the exact content of each of
a considerable (organizational) complexity them. However, since Alice and Bob them-
and reaches its limitations if one or several selves know what they have transmitted
devices have already been compromised and since they can see the superposition of
before being integrated into the network (for both messages as well, they may readily
example due to an attack performed at the conclude what the respective other peer
supplier). Besides, an automated refresh- has transmitted and thus establish a shared
ment of keys cannot be realized this way. secret that is not known to Eve.
An alternative approach that has been ac- For the concrete realization, we rely on the
tively discussed and considered in recent characteristic property of the CAN bus that
years is to use key establishment schemes bit 0 is dominant and bit 1 is recessive,
based on asymmetric cryptography for that which represents also the basis for the clas-
purpose, such as the Diffie-Hellman key ex- sical bus arbitration. In fact, if Alice and Bob
change protocol [8],[9]. Major drawbacks of simultaneously transmit a certain bit (as re-
this approach are the high computational quired for our approach), there are in total
04-3
iCC 2015 CAN in Automation
four different cases that may occur. These Example: In Seff given above, there is a 1
are put together in Table 1. Clearly, if one in tuples number 3, 7 and 8 (assuming that
of the two nodes transmits a dominant bit we start counting the tuples with 1).
(0), also the effective bit on the CAN bus
is a 0 and only if both nodes transmit a re- 5) Alice and Bob delete the bits in their
cessive bit (1), we also have the recessive original random bit sequences RAlice and
state after the superposition on the CAN RBob corresponding to the tuples which
bus. Therefore, the CAN bus may be con- included a 1 as determined in step 4.
sidered as a logical AND function of the in- The result are two shortened bit se-
dividually transmitted bits. quences, denoted as KAlice and KBob.
Table 1: Possible Combinations of Domi- Example: Based on the outcome of step 4,
nant and Recessive Bit Transmissions. Alice and Bob have to delete the bits at po-
Alice Bob
Effective Bit sitions 3, 7 and 8 in their original bit se-
on CAN Bus quences RAlice and RBob. Hence, we get:
0 0 0
KAlice = 0 1 1 0 1 0 0 1 0 1 = 0 1 0 1 0 0 1
0 1 0
1 0 0 KBob = 1 0 1 1 0 1 0 1 1 0 = 1 0 1 0 1 1 0
1 1 1
Please note that this is done because
The actual procedure for agreeing on a whenever the effective bit on the CAN bus
shared secret between Alice and Bob is a is a 1, it is clear that both Alice and Bob
multi-step approach as follows: must have transmitted a 1. Likewise, since
the two bits in a tuple are always inverse to
1) Alice and Bob generate independently each other (cf. step 2), it is also clear that
of each other random bit strings RAlice both nodes must have transmitted a 0 for
and RBob of a pre-defined length N. the other bit in that case. However, exactly
Example (for N = 10): the same conclusion can also be drawn by
RAlice = 0 1 1 0 1 0 0 1 0 1 Eve and therefore the tuples including a 1
RBob = 1 0 1 1 0 1 0 1 1 0 do not provide any usable information for us
as no secrecy is contained. For that reason,
2) Alice and Bob extend these random bit these bits are simply removed from Seff.
sequences in such a way that after each
bit the corresponding inverse bit is in- 6) The resulting (shortened) bit sequence
serted, leading to the modified bit se- of Alice (KAlice) is now exactly the in-
quences SAlice and SBob of length 2N. verse of the corresponding bit se-
quence of Bob (KBob), which eventually
Example: is the established shared secret.
SAlice = 01 10 10 01 10 01 01 10 01 10
SBob = 10 01 10 10 01 10 01 10 10 01 Clearly, what remains after step 5 are the
bits that are different in the initial bit strings
3) Alice and Bob simultaneously transmit RAlice and RBob. When simultaneously trans-
the bit sequences SAlice and SBob, lead- mitting SAlice and SBob, we always get 00 for
ing to the superimposed (effective) bit the tuples corresponding to these bits.
sequence Seff on the CAN bus, which is Hence, by eavesdropping on Seff, Eve only
given as Seff = SAlice AND SBob. knows that Alice and Bob have inverse bits
in their original random bit sequences RAlice
Example: and RBob at that position, but she is not able
Seff = 00 00 10 00 00 00 01 10 00 00 to tell which one has the zero and which
Clearly, Eve may easily determine this bit one has the one. Alice and Bob, in contrast,
sequence as well by means of simple pas- know which bit they have transmitted them-
sive eavesdropping on the channel. There- selves, they can also conclude that the re-
fore, it does not really help us further, yet. spective other peer has transmitted the in-
verse bit by evaluating Seff and therefore
4) Alice and Bob determine all tuples in Seff they have a clear advantage compared to
which include a 1. Eve. Thus, KAlice and KBob are unknown to
Eve, but are known by Alice and Bob.
04-4
iCC 2015 CAN in Automation
keys accordingly for increasing the security change (01 or 10) in both SAlice and SBob
level. The periodicity of the key refreshment after each sequence of at most four bits.
may be adaptively adjusted depending on This way, Alice and Bob would always
the respective needs, thus making it a very transmit the same two bits at this position
flexible and powerful solution in practice. and since the two bits include a bit change,
the bit stuffing rule is never violated in the
Finally, it should be noted that CAN is a
error-free case. However, this would come
multicast-based communication protocol
at the cost of a higher overhead, of course.
and messages transmitted by one node
Alternatively, Alice and Bob could deter-
generally have to be received by multiple
mine on-the-fly when it is necessary to in-
nodes. This implies that in many cases not
sert a stuff bit. In fact, both nodes have to
only the communication between two
read back the effective bit sequence Seff an-
nodes has to be secured, but rather the
yway and thus they could check in real-time
communication between groups of several
if there have been five identical bits effec-
nodes. Hence, cryptographic schemes for
tively on the bus and dynamically insert the
message authentication, encryption, etc.
inverse bit afterwards in that case. Com-
may only be reasonably applied in these
pared to the first solution, the additional
cases if all devices belonging to a certain
overhead would be significantly lower, but
group are in possession of the same cryp-
in return the complexity and processing re-
tographic key. The procedure proposed in
quirements are somewhat higher.
this paper, however, cannot be extended to
a multi-node setup in a straightforward A similar problem occurs with the cyclic re-
manner. Nevertheless, there are still sev- dundancy check (CRC) field of a CAN
eral possibilities how so-called group keys frame in case of a direct implementation of
may be established. In the simplest case, the proposed approach. Since Seff depends
all nodes of a certain communication group on both SAlice and SBob, the valid value for
could establish a pairwise key with one par- the CRC field of the effective message on
ticular node of that group (e.g., a gateway the bus would generally not be equal to the
node), and then this node may generate a superimposed CRC fields of the messages
suitable group key and signal it to all nodes transmitted by Alice and Bob in case that
of the group in a secure manner using the they calculate the CRC field in such a way
previously established pairwise keys. that the transmitted frames are valid. In or-
der to solve this issue and thus assure full
backwards compatibility to standard CAN,
V. Implementation Aspects
the correct CRC value that matches to the
As already outlined in the previous section, effective CAN frame on the bus could also
the bit strings SAlice and SBob are preferably be calculated by both nodes on the fly and
transmitted in the payload field of a CAN then be appended to that frame after the
frame. Without any additional measures, payload field. While making sure that the ef-
however, this may lead to problems and/or fective frame on the bus is a valid CAN
compatibility issues in practical realization. frame (based on existing specifications), it
In particular, with a direct implementation of has the nice side effect that this procedure
the proposed approach, the superimposed would automatically help to make sure that
CAN frame on the bus may violate the bit both Alice and Bob have received the same
stuffing rule since even if the individual bit effective bit string Seff (which is essential for
strings SAlice and SBob adhere to this rule, it deriving the same shared secret). This is
cannot be assured that this is also the case because if one of the two nodes has re-
for the effective bit string Seff on the bus. For ceived at least one erroneous bit but the
example, if SAlice = 01010101 and SBob = other one hasnt, they would append differ-
10101010, both strings would be valid, but ent CRC fields in general, which may be de-
Seff = SAlice AND SBob = 00000000 would tected by one of the nodes if a recessive bit
clearly violate the bit stuffing rule. Hence, is overwritten by a dominant one.
other nodes may generate an error frame if
With the previously described approaches
they observe such a violation on the bus
for dealing with bit stuffing violations and
and clock resynchronization may become
the CRC field, it is possible to achieve full
more difficult. A relatively simple solution to
backward compatibility in the sense that all
fix this problem is to insert a fixed bit
04-6
iCC 2015 CAN in Automation
frames on the CAN bus are always in line cannot tell what the status on the CAN bus
with the existing specifications at least in would have been without her transmission.
the error-free case. Hence, smooth migra- Therefore, we may conclude the following:
tion paths become possible, where not all
Conclusion 1: An active Eve may disturb
nodes connected to a CAN bus necessarily
our procedure in such a way that the gen-
have to support the proposed approach and
erated secret bit strings KAlice and KBob are
existing hardware / software may widely be
actually not equal on both sides. In order to
reused. A practical implementation may be
be able to detect such cases, therefore ad-
done solely in software (using CAN/GPIO
ditional mechanisms should be introduced,
re-pinning, for example, and thus directly
with which Alice and Bob can verify that
accessing the CAN transceiver from the mi-
they have really generated the same secret
croprocessor) or hardware-assisted, where
bit sequences KAlice and KBob. This could be
an additional hardware module may take
done by calculating and exchanging a hash
care of the specific requirements of the pro-
value of these bit sequences, for example.
posed approach, such as the synchronized
transmission of Alice and Bob. In this re- Conclusion 2: An active Eve is not able to
gard, we envision flexible implementation enforce the generation of a particular
options, where existing CAN controllers shared secret between Alice and Bob
taking care of the regular CAN communica- (which she then would be aware of) and/or
tion do not have to be modified at all as long to learn the shared secret that is estab-
as they are supplemented by an additional lished between both nodes. This is because
(lightweight) hardware / software module. KAlice and KBob depend not only on Seff
(which may be determined and influenced
by Eve), but also on the bits of RAlice and
VI. Security Considerations
RBob, which are unequal on both sides, and
If Eve as modeled in Section II is only pas- Eve has no way to determine these bits.
sively eavesdropping on the CAN bus, she
Conclusion 3: An active Eve may easily
is not able to readily determine the estab-
perform a denial-of-service attack by com-
lished shared secret bit sequences KAlice or
pletely preventing the establishment of a
KBob. As already outlined in Section IV, she
shared secret, for example by continuously
just knows that the remaining bits were dif-
sending a dominant bit. However, this
ferent for both nodes, but unlike Alice and
threat exists basically for any scheme since
Bob cannot tell who has transmitted the
an active Eve may easily block any CAN
zero and who the one. If, in contrast, Eve is
communication on the bus. In this case, the
trying to perform an active attack, for exam-
fail-safe mode of all devices should prevent
ple by sending additional own bits during
any serious safety-critical impact.
the exchange of SAlice and SBob between Al-
ice and Bob, there are two different possi- If we deviate from the attacker model intro-
bilities that have to be considered: duced in Section II and consider not only
remote attacks, but also attacks with direct
1) Eve is transmitting a recessive bit
access to the CAN bus (e.g., using own
2) Eve is transmitting a dominant bit
high-end equipment), the situation is get-
Transmitting a recessive bit is no different ting more challenging. Without any further
from not transmitting at all since a recessive ado, a passive eavesdropper might be able
bit does not change the effective state on to determine the shared secret established
the CAN bus. Therefore, we only have to between Alice and Bob in this case by ana-
analyze what Eve might do by superimpos- lyzing the voltage levels on the CAN bus,
ing another dominant bit to the bits ex- for example. This is because for fixed posi-
changed between Alice and Bob. To this tions of Alice, Bob, and Eve, the voltage
end, it is important to remember that with level that Eve can observe on the bus may
the procedure proposed in Section IV only be different depending on whether Alice is
those bits remain in the final shared secret transmitting a dominant bit and Bob a re-
for which the effective bit on the CAN bus cessive one or vice versa. For the remote
was 0 for both the transmission of the orig- attacker case, this was not an issue since
inal and the inverse bit (cf. step 5). Moreo- she may only access the CAN bus via a
ver, if Eve transmits a dominant bit, she
04-7
iCC 2015 CAN in Automation
04-8