• Welcome
• Products
• Security
• Client Work
• Library
• Downloads

SPsec - Small Packet Network Security
CANcrypt 2.0

In a blog entry from last year, we announced a “Two-year project for security of CANopen and other small-packet networks.” It is now time to give you an update on where we are with our SPsec (Securing Small-Packet Networks) project.

It comes as no surprise that adding security to small-packet networks like CAN, I2C, LIN, Modbus, and other fieldbuses is a challenge. The small-packet sizes offer only limited space for security information like an authentication tag and often, these networks are handled by microcontrollers with limited computational and memory resources. We are now aiming at protecting all communication in such a network when our initial goal was to protect only selected communication channels. The reason here is that for many industrial applications, recent acts and regulations like the European Cyber Resilience Act (CRA) will require security-by-design in the near future. For several use cases, they will also request that all data at rest and in motion is both authenticated and encrypted.

We defined the following SPsec key points and cryptographic primitives:

• Minimal hardware requirements of participating MCUs
• Cryptographic functions used
• Point-to-point security for configurations or communications with an limited amount of communication channels
• Time-based rolling key derivation for automated refreshing of keys
• Group security for multicast network technologies like CAN

For more detailed information see our white paper “Cybersecurity Primitives for Small-Packet Networks“.

Our first proof-of-concept implementation will be based on the PCAN-Router FD from PEAK-System. These devices have two CAN (or CAN FD) interfaces from which we use one for unprotected communication from a host system. The router implements a SPsec sub layer and uses the second interface for the secure communication. This allows for easy test and debugging, as there will be one CAN bus with the protected and one with the unprotected communication allowing a direct comparison.

Later the SPsec sub layer will be added to our Micro CANopen source code and integrated into various CANopen or CANopen FD devices for further testing.

View Documents

SPsec 101 Concept

Scope for SPsec (Small-Packet Network Security Sublayer)

SPsec 102 Glossary

Summarizes the terms used by SPsec

SPsec 201 Generic Specification

Defines the basic data types and services of SPsec

SPsec 301 Generic Mapping

Defines a generic mapping of SPsec functions and methods to communication systems

SPsec 302 CAN FD Mapping

Defines the CAN FD specific mapping of SPsec functions and methods

Sections

Social Media

Follow us for news on CAN, CANFD, CANopen, CANopenFD, J1939 and embedded systems

	Read the blog
	Videos & YouTube channel
	Linked In