RSS Feed

Embedded Systems Blog

Upcoming conferences and presentations

January 16th, 2017 Ralf No comments

This spring, the tutors of ESAcademy present five CAN and CANopen related papers at the 16th international CAN Conference and the Embedded World Conference 2017.

16th iCC, 7th to 8th March 2017 in Nuremberg
www.can-cia.org/services/conferences/icc/icc-2017/

Bernhard Floeth (Opel) and Olaf Pfeiffer (ESAcademy):
Using an enhanced condensed device configuration file format for CANopen boot-loading and/or device testing
This paper presents the enhanced CDCF player integrated in our free CANopen File Player and CANopen Diag projects. It supports spreadsheet based (.csv) Object Dictionary access with active flow control. (Tuesday, March 07, 2017, Session II)

Andrew Ayre (ESAcademy):
Automated trace analysis for testing of CANopen devices
This paper presents a summary of the debug information extractable from CANopen trace recordings. The functionality described in this paper are implemented in our Logxaminer software. (Wednesday, March 08, 2017, Session VII)

Olaf Pfeiffer (ESAcademy) and Christian Keydel (ESAcademy):
Scalable security for CAN, CANopen, and other CAN protocols
This paper describes the main functionality of the CANcrypt security framework described in our book “Implementing Scalable
CAN Security with CANcrypt”. (Wednesday, March 08, 2017, Session VIII)

Meet our tutors at our tabletop display table at the conference.

Embedded World Conference 2017, 14th to 16th March 2017, Nuremberg
www.embedded-world.eu/program.html

Christian Keydel (ESAcademy):
Secure CANopen (FD) Bootloading
This paper shows how to adapt the security mechanisms introduced by CANcrypt to CANopen, CAN (FD) and bootloading. (THURSDAY, MARCH 16, 2017, Session 25/I)

Olaf Pfeiffer (ESAcademy):
CiA 447, the CANopen Standard for After-Market Automotive Applications
This paper summarizes the key features of the CANopen application profile CiA 447. These include wake-up and sleep mechanisms as well as plug-and play functionality. (THURSDAY, MARCH 16, 2017, Session 25/II)

Meet our tutors at the PEAK System booth (Hall 1, Booth 1-483)

We look forward to meeting you

Categories: CAN, CANopen, Security Tags: , , ,

CANcrypt technical functionality

February 26th, 2016 Olaf No comments

A summary of the technical features used by CANcrypt

By Olaf Pfeiffer, Embedded Systems Academy GmbH, 26th of February 2016

At the Embedded World 2016 in Nuremberg, Embedded Systems Academy GmbH announced their book “Implementing Scalable CAN Security with CANcrypt”. The corresponding CANcrypt demo code will be published using an open license. At the Embedded World we have seen a lot of interest in the technical details. For those who do not want to wait until the publication of the book this article summarizes the key technical features of CANcrypt (also see our CANcrypt.eu web page for more information).

Core Functionality of CANcrypt

CANcrypt provides the following services:

  • Pairing: dynamic generation of a random key that is only known by the paired devices; optionally, one device can enforce a preset key to the other.
    • generate and exchange keys
    • optional storing of keys in non-volatile memory for permanent pairing
    • support of a key hierarchy when multiple keys are stored
    • maintain dynamically changing key (pseudo one-time pad)
    • dynamic key updated using shared random bit
  • Grouping: multiple devices share a common dynamic key
    • originally assigned through pairing
    • maintain dynamically changing key (pseudo one-time pad)
    • dynamic key cyclically updated by all grouped devices
  • Safety communication: any secure communication uses a preamble message
    • messages received are only accepted and passed on to application if together with the preamble the authentication and decryption is verified successfully
    • preamble identifies message CAN ID, security features used, has a counter and a signature
    • secure messages must be received within 10ms after the preamble to be valid

CAN message IDs required:

  • one CAN ID for each participating device
  • used for preamble and control messages
  • a CAN ID pair used for the random bit generation cycle

Cipher methods used

CANcrypt keys are symmetrical and dynamic, they are continuously updated. From the dynamic key and a message counter a pseudo one-time pad is generated that is used for the simple, customizable encryption.

If the secure pairing is only active for two nodes, a random bit generation cycle is used continuously in the background to introduce new bits to the dynamic key. If multiple nodes are paired, then the dynamic key update information is sent via an encrypted message.

The system pairing process is started using a CANcrypt configurator device. This can be done by a system builder or integrator once the CAN system is installed. It must happen in a secure environment. The keys generated at that time are stored locally in the devices connected – there is no need to keep any further copy of this key outside the system, minimizing the effort placed on key management. The keys cannot be duplicated. If a new device is added (or one exchanged), all keys need to be erased and newly generated.

As stored keys in each device make up a hierarchy, we can guarantee that erasing and regenerating keys can only happen when the configurator used is logged-in to the system based on a key high enough in the hierarchy to allow erasing and re-paring.

Operating principle for random bit generation

Bit generation cycle

Solely by monitoring CAN messages, one cannot identify the device that sent any individual message, because at that level, any device can transmit any message. As an example, let us allow two devices (named initiator and responder) to transmit messages with the CAN IDs 0010h and 0011h (and data length zero) within a “bit select time window”. Each node shall then randomly choose and send one of the two messages at a random time within the time window.

At the end of the bit select time window, a trace recording will show one of the following scenarios:

  1. One or two messages of CAN ID 0010h
  2. One each of CAN ID 0010h and 0011h
  3. One or two messages of CAN ID 0011h

Let us have a closer look at case 2 – one each. If these are transmitted randomly within the bit response time window, then an observer has no way to identify which device sent which message. However, the devices themselves know it and use this information to derive a bit from it.

Unfortunately we cannot use case 1 and 3, so if those happen, both nodes need to recognize it and re-try, using another next bit select time window.

Note 1: If one device wants to enforce a specific bit to the other, it may generate a “flip bit” message at the end of the cycle to indicate to the other device that this bit needs to be flipped.

Note 2: A variation of this scheme is to not use a random delay, but instead ensure that both devices transmit their message immediately after the trigger message. Then both messages arbitrate the bus at the same time and in a trace recording we will always see 0010h followed by 0011h.

Potential attacks: As usual, a denial-of-service kind of attack is always possible. By injecting messages an attacker can break the cycle, the devices would not be able to exchange a key in the first place. If an attacker has full physical access (oscilloscope, transceiver), he can determine which node sent which message. However, there is still some effort required to recognize which bits were actually generated (as participating devices can change interpretation). Last but not least anything “random” is always an attack vector. The participating devices need a reasonably good random number generator.

Book announcement: Implementing Scalable CAN Security with CANcrypt

February 22nd, 2016 Olaf 1 comment

Nuremberg, 22nd of February 2016: Embedded Systems Academy announces their new book “Implementing Scalable CAN Security with CANcrypt”. You can meet the authors at the Embedded World 2016 from February 23rd to 25th in hall 1, booth 620 – the booth of our partner PEAK-System.

The book covers authentication and encryption for CANopen and other Controller Area Network protocols and will be published in Q2/2016. The introduced CANcrypt system by ESAcademy adds multiple levels of security to CAN. CANcrypt supports the grouping of multiple devices and the encrypted and authenticated communication between them. The CANcrypt security layer sits between CAN driver and higher layers and is therefore independent of higher-layer protocols or applications used.

The required system resources are minimal compared to traditional cryptography methods and can be scaled to the application’s security requirements. A key hierarchy enables implementing of smart, simplified key management that supports manufacturers, system builders/integrators and owners.

Demo and example code will be published using the BSD license.
For more information see www.cancrypt.eu