The CANcrypt system by Esacademy (Germany) adds multiple levels of security to CAN. It supports the grouping of multiple devices and the encrypted and authenticated communication between them.
Commonly used security methods for authentication and encryption on the Internet cannot easily be applied to CAN and CANopen networks. CAN messages can consist of single bytes and need to be processed in real time by minimal micro-controllers, usually without any security hardware features.
The CANcrypt system by Esacademy adds multiple levels of security to CAN. It supports the grouping of multiple devices and the encrypted and authenticated communication between them. The required system resources are minimal compared to traditional cryptography methods and can be scaled to the application’s security requirements. A key hierarchy enables implementing a smart, simplified key management that supports manufacturers, system builders/integrators and owners.
The system is protocol-independent and can be used with CANopen or other higher-layer CAN protocols. Up to 14 devices can participate in the secure communication. A manager or configurator is required for the generation and exchange of keys, but not during regular operation.
At the Embedded World 2016, Embedded Systems Academy announced their book “Implementing Scalable CAN Security with CANcrypt”. The book covers authentication and encryption for CANopen and other Controller Area Network protocols and will be published in Q2/2016. The corresponding CANcrypt demo code will be published using an open license.
Looking at CAN and CANopen systems, three threat levels that apply to most applications including automotive, industrial, medical, and other machinery can be identified: Unlimited physical access, sniffer access, and remote access.
If an intruder has unlimited physical access to the entire network including device PCBs, then available security options are limited. Having access to all debug ports of the micro-controllers of a system provides many other attack vectors besides CAN/CANopen. CANcrypt does not cover this aspect.
On obtaining direct access to a CAN/CANopen system (by connecting a sniffer device or a laptop with a CAN interface), an intruder has read access to all communication on the network. If the intruder has write access, “denial of service” style attacks (swamping the bus with messages so nothing else gets through) cannot be prevented.
The last attack level is becoming more and more popular: remote access through a device that is a gateway to other networks. An example is remote diagnostics. A manufacturer of a system using CAN/CANopen might not be fully capable of prohibiting a remote access device. For example, a technician or system integrator might add a remote access device after delivery and initial installation.
All secure communication uses a preamble message that announces the following message. Received messages are only accepted (passed on to the application) if together with the preamble, the authentication and decryption are successful. The shared key is continuously updated and synchronized between the devices.
For key generation, CANcrypt uses a CAN feature that allows two devices to exchange a bit that is not visible to other CAN devices. This feature allows generating pairing keys that only the two participants know. The keys are symmetrical and dynamic and they are continuously updated. From the dynamic key and a message counter a pseudo one-time pad is generated that is used for the simple, customizable encryption.
CANcrypt provides the following services:
Pairing: a dynamic generation of a random key that is only known by the paired devices; optionally, one device can enforce a preset key to the other. The system generates and exchanges keys, optionally stores keys in non-volatile memory for permanent pairing, supports a key hierarchy when multiple keys are stored, maintains a dynamically changing key (pseudo one-time pad), updates the dynamic key using a shared random bit.
Grouping: multiple devices share a common dynamic key. The dynamic key is cyclically updated by all grouped devices.
Safety communication: any secure communication uses a preamble message. Received messages are only accepted and passed on to an application if the authentication and decryption is verified successfully together with the preamble. The preamble identifies message CAN ID, security features used, has a counter and a signature. Secure messages must be received within 10 ms after the preamble to be valid.
News and reports