pns for can plug-and-secure communication for can · ae/pj-sci1 - arthur mutter | 16th february...
TRANSCRIPT
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
PnS for CAN Plug-and-Secure Communication for CAN
Vector CAN FD Symposium Stuttgart, Germany February 16th 2017 Dr. Arthur Mutter
1
SP12-012: Physical Key Generation
CR/AEH4 - Andreas Mueller | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Huge Potential Damage
Especially via Remote Attacks!
2015: 72 million new cars sold Source: OICA via Statista.de
2
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Motivation Facts Current trends (e.g. Cloud/Internet connectivity)
lead to novel & serious security threats Today‘s CAN networks are often hardly secured Cryptographic methods may help (e.g. message auth.)
However Key agreement and distribution is not a solved or trivial problem
Reasons: security, effort, computational complexity, price Keys have not been attacked – simply because they did not exist
Basic Idea: Exploit special properties of CAN bus (dominant / recessive bits)
Especially suitable against software-based & remote attack scenarios
Our Idea: Plug-and-Secure
A novel approach for completely automated & secure key establishment of very low complexity for CAN networks (“plug-and-secure”)
malicious counterfeit products
Integration of CE1 devices
Selected Security Threats
Cloud / Internet
1Consumer Electronics
3
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Agenda
Basic idea
Major benefits
Security considerations
Implementation options and details
Demonstrator
1Consumer Electronics
4
Tx Alice Tx Bob Rx All
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Random Number Alice Random Number Bob
Shared Secret = Tx Alice + Rx All
Eve cannot calculate shared secret
Inverse Shared Secret = Tx Bob + Rx All
Overlay of signals on the CAN bus
Alice Bob
1
2
3
Eve
1 0 1 0 1 0 1 0 1 0
1 1 0 0 1 1 0 1 0 1 1 0 0 1 1 0 0 1 1 0
Basic Idea
5
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Generate a random bit string of length N
SAlice = 1 1 0 0 1 1 0 1 0 1
Generate a random bit string of length N
SBob = 1 0 0 1 1 0 0 1 1 0
1a
Transmit bit sequence simultaneously
Seff = SAlice* AND SBob
* = 10 00 01 00 10 00 01 10 00 00
2
Replace: 0 01 1 10
SAlice* = 10 10 01 01 10 10 01 10 01 10 SBob
* = 10 01 01 10 10 01 01 10 10 01
1b Replace: 0 01 1 10
Alice Bob Bus 0 0 0 0 1 0 1 0 0 1 1 1
CAN Bus = Alice AND Bob
’10’ or ‘01’ = both users have transmitted identical bits
’00’ = both users have transmitted different bits
Discard bits corresponding to ’01 or ’10’ in Seff in initial bit sequences SAlice / SBob
3
SAlice = 1 1 0 0 1 1 0 1 0 1 SBob = 1 0 0 1 1 0 0 1 1 0 X X X X X
1 0 1 0 1 0 1 0 1 0
Inverse sequences = shared secret
Alice Bob
X X X X X
Details
6
CR/AEH4 - Andreas Mueller | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Major Benefits
Plug-and-Secure Communication for CAN Simplicity / Ease-of-Use Efficient for group keys1
Universal applicability
Low complexity & low cost Works w/ any CAN controller
Seamless integration into CAN ecosystem
1Technical paper: http://eprint.iacr.org/2016/601
Easy & scalable re-keying
010010
Low bandwidth requirements
ECU
ECU
ECU
ECU
7
CR/AEH4 - Andreas Mueller | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Remote Attacker Model
Alice Bob Eve CAN Transceiver
CAN Controller
Microprocessor
Malicious SW
Victim of a remote attack
1
2
3
Eve is using standard HW with modified (malicious) SW
Eve may eavesdrop on all messages exchanged on the CAN bus
Eve may inject arbitrary bits on the CAN bus (via the CAN transceiver)
Assumptions
Highly relevant attacker model due to easy scalability of attacks!
8
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Remote Attacks
Fact: Alice + Bob derive secret only from secure bit pairs (“00” on bus) Eve
Idea: Passively eavesdrop on the channel during key setup
A passive Eve cannot determine the established secret bits
Eve Idea: Actively interfere with key establishment procedure
An active Eve can prevent a successful key establishment
An active Eve cannot determine or influence the established keys
Action: Eve transmits dominant bits leads to “00” bit pairs on bus Result: Alice + Bob derive different secrets Solution: Perform key verification after key generation
9
CR/AEH4 - Andreas Mueller | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Attacker Model with Physical Access to CAN Bus
Alice Bob Eve
Direct access to the CAN bus with own hardware (e.g., oscilloscope)
With physical access, an attacker could compromise a vehicle much easier (e.g., cut a cable)
Attacks requiring physical access do not scale; threat with physical access always existed
Countermeasures are possible e.g., artificial (random) jitter in bit timing
BUT:
Voltage Timing
Principle Threats
Attacker needs detailed knowledge of the CAN bus
Physical access enables more sophisticated attacks (e.g., exploitation of timing or attenuation effects) Others
10
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Implementation: PnS Module in Microcontroller
1If no secure component is available, “PnS for CAN” module might be directly connected to CPU
Properties in Microcontroller
“PnS for CAN” module is a reduced CAN controller low costs
connects to the CAN bus in parallel to CAN controller
competes with the on-chip CAN controller and other CAN devices via arbitration
is compatible to any CAN controller
Separation of core functions in dedicated HW module is good from a security point of view
Secure component (optional) stores keys and performs crypto functions1
Secure IF Host IF
CPU
Memory CAN Controller
Secure Component (e.g., HSM)
CAN_RX
Tx_CC
Tx_PnS
CAN_TX
CAN Transceiver
&
PnS for CAN
PnS for CAN
µC
PnS for CAN
CAN_H CAN_L
Software Hardware
11
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Implementation: PnS Module in CAN Transceiver Properties
No modifications of existing µC HW necessary quick upgrade path
May be combined with any existing µC
Communication between “PnS for CAN” module in TRX and µC via SPI
Encapsulation of core functions in HW module good from a security point of view
Secure component (optional) stores keys and performs crypto functions1
in CAN Transceiver
PnS for CAN
Transceiver
Secure IF Host IF
CPU
Memory CAN Controller
Secure Component
(e.g., HSM)
&
PnS for CAN
PnS for CAN
µC SPI
CAN_H CAN_L
PnS for CAN
Software Hardware
1If no secure component is available, “PnS for CAN” module might be directly connected to CPU
Actual Transceiver
12
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Synchronization of Frame Transmission (I) Target: KeyExchangeFrames of Alice and Bob need to overlay
Challenge: Alice and Bob need to synchronize Therefore: One node triggers the other node E.g.: Alice tells Bob to start TX of KeyExchangeFrame
Overlay of KeyExchangeFrames on the CAN bus
Alice Bob
ID X CRC
ID X CRC
ID X CRC
Tx Alice
Tx Bob
Rx All
13
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Synchronization of Frame Transmission (II) Procedure Alice/Bob: CPU configures frame ID X in PnS Alice: Sends a frame with ID X Bob: When PnS detects frame ID X
on CAN bus, it switches its status from Receiver to Transmitter
Properties Independent, precise, simple
ID X CRC
Bob Receiver Bob Transmitter
Host IF
CAN_RX
Tx_CC
Tx_PnS
CAN_TX
& µC
PnS for CAN
CPU or HSM
CAN Controller
Alice Transmitter
KeyExchangeFrame
14
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Demonstrator Feb. 2016: “Embedded World” Demo Nov. 2016: “Electronica 2016” Demo
15
AE/PJ-SCI1 - Arthur Mutter | 16th February 2017 | © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Plug-and-Secure Communication for CAN
Summary Task
Secure Key Establishment
Properties Very low complexity, high efficiency, low cost
Operation On any CAN bus (Classical CAN or CAN FD)
Implementation PnS Module required in Microcontroller or Transceiver
Major Strengths Remote / SW-based attacks, Automated key exchange
…
PnS for CAN
16