Abstract
There are dozens of proposals for securing the controller area network (CAN); however, only a few of them are concerned on how to share secret keys between CAN nodes. Recently, some works have used the non-destructive property of CAN arbitration in order to exchange a secret key and achieve information theoretic security for the key exchange. In our proposals, we exploit both delays and the non-destructive arbitration of CAN to achieve a secure key exchange. While our approach is less efficient when it comes to bandwidth, we do not require any kind of additional hardware and we build our implementation on the software layer which is accessible for any CAN-based application. To boost efficiency, we finally bootstrap secret keys by means of the guessing-resilient protocols, such as encrypted-key-exchange (EKE) and simple password exponential key exchange (SPEKE). In principle, a few dozen frames suffice for a secure key-exchange between two CAN nodes. We discuss several protocol versions and extensions for the case of more than two parties. We also present the experimental results on modern automotive-grade controllers to prove the performance of our solution.
Highlights
AND MOTIVATIONIn the recent years, numerous works have been focusing on designing security protocols for the controller area network (CAN) bus [18], showing innovative solutions from the use of cryptographic message authentication codes [20], [27], group key-sharing [17], signal characteristics [11], [35] or network delays [9], [37]
In the recent years, numerous works have been focusing on designing security protocols for the CAN bus [18], showing innovative solutions from the use of cryptographic message authentication codes [20], [27], group key-sharing [17], signal characteristics [11], [35] or network delays [9], [37]
Electronic control units with low computational power, that cannot handle public key encryption, proceed in identical fashion to what is suggested in Figure 26 but they skip the Encrypted Key Exchange (EKE)-DH negotiation and the session key follows from the frame timing alone
Summary
Numerous works have been focusing on designing security protocols for the CAN bus [18], showing innovative solutions from the use of cryptographic message authentication codes [20], [27], group key-sharing [17], signal characteristics [11], [35] or network delays [9], [37]. The secret w can be an existing secret shared between the nodes as current AUTOSAR specifications have support for key-exchange protocols [2] and ask for security on in-vehicle units [3] In this case, the procedures that we discuss here can be used as a covert channel to further re-enforce an existing key. The last two versions of our schemes: time-triggered minimax and the randomized delay key negotiation set room for piggybacking frames with parts of the keys that are shared via the Diffie-Hellman (DH) version of the Encrypted-KeyExchange protocol (EKE) [6] and Simple Password Exponential Key Exchange (SPEKE) [22] This is possible in case of the later schemes that we introduce since the bits of the key that are to be negotiated are known in an a-priori manner. We try to cover both scenarios where mid to high-end automotive grade controllers are present, as well as scenarios with low-end cores
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
