Encrypted Signal Transmission with AUTOSAR in a CAN-FD Network

July 23, 2015 // By Armin Happel, Vector Informatik
In today’s vehicle networks, data transmission is for the most part performed without any special security measures. That is, in accessing a vehicle’s bus system, it is possible to read the data transmitted in raw format or to even play it into the bus system in modified form. Encrypted data transmission would not only ensure that this information can only be evaluated by authorized recipients, it would also make it much more difficult to intercept or alter the messages.

Media reporting about vehicle manipulation [1, 2] raises the question of whether data in the vehicle network can actually be influenced by manipulation. Can a manipulated device or internally implanted device with a remote control function influence vehicle behavior? And what countermeasures can be taken to prevent such manipulation?

Today’s vehicles are highly complex systems, which consist of networked sensors and actuators and continually transmit important data over bus systems. In the vast majority of cases, the information being transmitted is in raw data format. A plausibility check, if such a check is even possible, has limited effectiveness. The receiver is unable to verify whether the data was actually supplied by the desired sender or whether it was fed in by an outside electronic control unit, i.e. whether it is authentic data. The data is freely accessible as well, so an analysis of the bus information can be used to determine signal contents. The transmission is neither confidential nor authenticated.

This was the problem that engineers at Vector were confronted with. Their task was to come up with an implementation for secure communication over a CAN network which could be used flexibly and could also be integrated with AUTOSAR-3.x basic software. Key protection goals, along with authentication, included preventing replay attacks. It would be desirable to implement communication that could not be accessed externally.

For the encryption method, the specialists chose the AES algorithm [3]. From today’s perspective this method is considered cryptographically secure. It involves symmetrical block encryption with a block length of 128 bits. It generates 16 bytes or a multiple of 16, which the sender transmits to the receiver. It is advantageous that some microcontrollers already have very fast hardware implementations of this algorithm.

Since a CAN message can transmit a maximum of 8 data bytes per frame, a decision was made to utilize the ISO transport protocol (TP) that was already included in the communication stack for the transfer. This required simplifying the CAN configuration and protocol for unidirectional communication with a fixed 1:1 relationship between sender and receiver.

Design category: