Scribd
Upload
293 views2 pages

Autosar Secoc For Can FD

CAN FD enables the full implementation of Autosar's Secure Onboard Communication concept by allowing messages to include both a large payload and strong cryptographic protections like a full-length MAC. However, CAN FD networks require techniques like Denso's Ringing Suppression Circuitry to prevent bit errors from signal reflections in large topologies. While CAN FD improves security and efficiency over Classical CAN, its deployment is more complex due to issues like ringing that must be addressed through topology design or additional technologies.

Uploaded by

gptg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
293 views2 pages

Autosar Secoc For Can FD

CAN FD enables the full implementation of Autosar's Secure Onboard Communication concept by allowing messages to include both a large payload and strong cryptographic protections like a full-length MAC. However, CAN FD networks require techniques like Denso's Ringing Suppression Circuitry to prevent bit errors from signal reflections in large topologies. While CAN FD improves security and efficiency over Classical CAN, its deployment is more complex due to issues like ringing that must be addressed through topology design or additional technologies.

Uploaded by

gptg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Autosar SecOC for CAN FD

Engineering

With the migration to CAN FD, new security concepts have become possible: It
enables the Autosar concept Secure Onboard Communication, which detects
attacks on the network.

F or more than 20 years, CAN has been and still is the dom-
inating communication system in vehicles. With the ris-
ing complexity of in-vehicle functions, Classical CAN can-
transceivers. Therefore, it can be used in CAN FD networks
and allows engineers to develop software using all technical
advantages of CAN FD. RSC is already specified in CiA as
not satisfy the increasing demand for an effective data rate CiA 601-4, with ongoing continuous improvement of 601-4 as
any longer. Therefore, CAN FD was introduced – it allows well as standardization activities on ISO-level (11898-2).
for a payload up to 64 byte to achieve data rates of 2 Mbit/s
and 5 Mbit/s. To exploit this major advantage for advanced CAN FD to completely enable SecOC
functions, challenges of larger network topologies have to be
addressed. In particular, the so-called ringing effect has a tre- The Autosar concept Secure Onboard Communication
mendous impact on the communication reliability. One of the (SecOC) was specified to check the authenticity of a single
major benefits of CAN FD is that it enables security for sin- transmitted protocol data unit, in order to detect attacks such
gle protocol data units using the Autosar concept Secure as replay, spoofing and tampering. As the recently published
Onboard Communication (SecOC). hacks have shown, gaining access to the CAN network is typ-
ically the only barrier to taking remote control of a vehicle.
Ringing Once on the bus, the attacker can imitate a legitimate sender
and gain control of the behavior of the entire vehicle. With
In CAN FD networks with more than two nodes, reflections
of communication voltage waves, which occur because of key. Assuming proper system design, this is only possible by
impedance mismatches in a network at the signal transition physical access to the vehicle and destruction of the respec-
frequencies, generate ringing. The impedance mismatches tive control unit. Therefore, such attacks can be prevented.
occur mainly at non-terminated nodes and the junction. The SecOC module calculates and adds a message
When a transmitter outputs a recessive state, the output of authentication code (MAC) to the protocol data unit. For
the transmitter has a high resistance. Therefore, signal ring-replay protection, a freshness value has to be included in the
ing occurs in particular during the transition from recessive-cryptographic calculation. The PDU is transmitted together
to-dominant. In addition, a negative reflection occurs at the with the MAC and freshness value in one frame. With Clas-
junction because the impedance decreases. This results in a sical CAN, only a part of the freshness value for synchroni-
lower impedance than the characteristic impedance. If ring- zation and only a part of the MAC can be added due to the
ing does not converge below a predetermined voltage until limited frame size of 8 byte. The receiver then calculates the
the defined sampling point, a bit malfunction occurs. MAC of the PDU and the freshness value and compares it
To avoid this, we developed the so-called RSC – ringing with the one it (partially) received. If there is no match, the
suppression circuitry. This circuitry detects the change from PDU is dropped and ignored.
dominant to recessive state and changes the impedance to However, some issues with the application of SecOC
120 Ohm. An internal MOS component detects this falling to serial products remain. Challenging topics, not dealt with
edge and activates the ringing suppression. This suppres- by the standard, are the key management, freshness value
sion circuit can be seen as a circuit comprised by resistors handling, and recovery strategy. The recovery strategy for
and switches, which take the energy out of the network. RSC instance is how to deal with failed authentications, how to
was designed to be compatible to all ISO 11898-2-compliant ensure the functionality or at least the safety of the system
in such a case, and how to recover
the system operation when partic-
ipants are out of synchronization.
Another critical factor is the Classi-
cal CAN frame, which provides only
8 byte of payload. While NIST rec-
ommends truncation of the MAC
below 64 bits only in conjunction
with a careful analysis, a Classical
Figure 1: Left: Conventional CAN FD transceiver; right: Denso RSC transceiver CAN message would be entirely
(Photos: Denso Automotive Deutschland) occupied by the MAC and leave

44 CAN Newsletter 1/2017


CAN FD in order to accelerate the inevitable introduction of
new features. RSC enables the design of large CAN FD net-

Summary

Autosar Secure Onboard Communication is limited in


Classical CAN networks due to its payload of only 8 byte.
Figure 2: Process of secure onboard communication in With CAN FD, SecOC can be used without limitation such
Autosar (Photo: Denso Automotive Deutschland) as MAC truncation and omission of freshness synchroni-
zation. However, CAN FD cannot be deployed as easily
as Classical CAN. For larger networks, either the topology
has to be reduced in complexity or other technologies have
to be applied to attenuate ringing effects. The use of RSC
Figure 3: CAN FD has the potential to increase both security simplifies the upgrade to CAN FD for any existing (Classi-
and efficiency (Photo: Denso Automotive Deutschland) cal CAN) topology and also allows for more freedom in the
topology design.
no space for the actual payload. To retain a decent commu-
nication efficiency, the MAC must be truncated to a shorter
length, which also reduces the level of security the MAC
can provide. The MAC could also be sent in another frame,
which improves the security but has quite an impact on the
busload and communication effort. By switching to CAN Authors
FD, the payload of up to 64 byte allows the transmission of
a reasonable amount of data in conjunction with a "secure" Dr. Tobias Islinger, Yasuhiro Mori, Jennifer Neumüller,
MAC length. Ultimately, the limitations of Classical CAN Martin Prisching, Dr. Robert Schmidt
hinder the wider and more effective introduction of essen- Denso Automotive Deutschland GmbH
tial security technology. Therefore, CAN-based mission- [email protected]
critical communication should follow the evolution to www.denso-auto.de

You might also like