Site Information

 Loading... Please wait...

Blog

Authentication And Encryption for SAE J1939 And Other CAN Bus Protocols

Posted by Industry News on

Implementing Scalable CAN Security with CANcrypt: Authentication and encryption for CANopen, J1939 and other Controller Area Network or CAN FD protocols

At the time when the Controller Area Network (CAN) standard was designed, security was not a requirement. The primary usage of the CAN Bus was considered complete; possible intruders or attackers would simply not get physical or remote access to the network. However, today it is more and more common that devices connected to a CAN system also have connections to other networks, including the Internet. Recent car hacks have shown that attackers may get access to CAN systems. Without strong security features, an attacker automatically gains full access to everything connected, allowing active control commands to be recorded and replayed. In this book we examine which options developers of CAN based systems realistically can use to provide adequate security features. What can we do - without using heavy-weight security features? What can we do to detect possibly injected messages? What can we do without any hardware change? What can we do with minimal software modifications? The CANcrypt protocol and software is introduced as a scalable security solution for the Controller Area Network. Free demo examples including C source code can be downloaded from ESAcademy's web pages

CAN messages contain payloads of only a few bytes and need to be processed in real-time by occasionally tiny microcontrollers with little resources and that don’t have any security hardware features.

The CANcrypt system adds different levels of security features to CAN. The basic functionality provided supports the grouping of multiple devices and supports authenticated communication between them based on a secure heartbeat. The required system resources are not only minimal in comparison to traditional cryptography methods, they can also be scaled towards the application’s security requirements. On the higher end, CANcrypt supports AES-128 based encryption and authentication.

A key hierarchy allows the implementation of a smart, simplified key management supporting manufacturers, system builders/integrators and owners.

The CANcrypt system is protocol independent and can be used with CANopen or other higher-layer CAN protocols. Up to 15 devices can participate in the secure communication. A manager / configurator is only required for the generation and exchange of keys, but not during regular operation.