NETWORK DEVICE AND NETWORK SYSTEM
1. An electronic control unit (ECU), comprising:
- a computer configured to judge whether a message from at least one ECU of a plurality of ECUs is a valid message or not, and to detect a malicious message; and
a controller configured to, if the malicious message is detected, overwrite the malicious message with an ERROR FRAME code during receipt of a data frame,wherein the ECU is connected to the at least one ECU via a controller area network (CAN) bus,wherein the computer is configured to detect the malicious message by using an ID, a payload a cycle, and a frequency.
A network device connected via a bus with a plurality of network devices includes: an authentication unit that executes authentication based upon message authentication information included in data transmitted, via the bus, by one of the plurality of network devices acting as a sender device; and a processing unit that invalidates the data upon determining that unauthorized data have been transmitted by the sender device impersonating another network device among the plurality of network devices if the authentication fails.
- 1. An electronic control unit (ECU), comprising:
a computer configured to judge whether a message from at least one ECU of a plurality of ECUs is a valid message or not, and to detect a malicious message; and a controller configured to, if the malicious message is detected, overwrite the malicious message with an ERROR FRAME code during receipt of a data frame, wherein the ECU is connected to the at least one ECU via a controller area network (CAN) bus, wherein the computer is configured to detect the malicious message by using an ID, a payload a cycle, and a frequency.
- View Dependent Claims (15)
- 2. A network device, comprising a processor wherein the processor is configured to:
(1) judge whether a message from at least one network device of a plurality of network devices is a valid message or not; and
to detect a malicious message;
(2) if a malicious message is detected, overwrite the malicious message with an ERROR FRAME code; wherein the network device is connected to the one network device via a controller area network (CAN) bus, wherein the processor is configured to detect the malicious message by using an ID, a payload, a cycle, and a frequency.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 16)
- 14. An electronic control unit (ECU), comprising:
a controller configured to, if the malicious message is detected, overwrite the malicious message with an ERROR FRAME code, wherein the ECU is connected to the at least one ECU via a controller area network (CAN) bus,
- View Dependent Claims (17)
The present application is a Continuation of U.S. patent application Ser. No. 15/228,608, filed Aug. 4, 2016, which is a Continuation of U.S. patent application Ser. No. 14/563,217, filed Dec. 8, 2014, which is based upon and claims the priority from Japan Patent Application No. 2013-257364, filed Dec. 12, 2013. The entire contents of all of the above applications are incorporated herein by reference in its entirety.
The present invention relates to a network device and a network system.
The following non-patent literature describes technologies constituting the background art in the field pertaining to the present invention: T. Matsumoto, M. Hata, M. Tanabe, K. Yoshioka, K. Oishi, “A method of preventing unauthorized data transmission in controller area network”, Vehicular Technology Conference (VTC Spring), 2012 IEEE 75th (2012). This publication describes the following issues “The CAN protocol is designed for bus networks. Each CAN message (CAN frame) has no source and no destination addresses. Therefore, every message is broadcast on a bus. Once an attacker infiltrates an ECU, he can impersonate any other ECUs on the same bus, because any ECU (node) connected to a bus can send arbitrary message. However, the CAN protocol supports no sender authentication and no message authentication.” describing issues of the CAN technologies. It proposes, as a means for addressing these issues, “a method of preventing unauthorized data transmission by leveraging the CAN'"'"'s broadcasting nature. In the proposed method, the ECU to be impersonated monitors and detects the impersonated message and overrides it by sending ErrorFrame before the message transmission completes”.
The non-patent literature quoted above does not include any description of security measures for a sender network device. If the sender network device is attacked and goes down, protection against the attack cannot be assured since other network devices cannot easily detect the attack. Highly advanced security measures, such as introducing security modules and a verification method to prevent from an implementation of any element of vulnerability, must be taken in order to protect network devices from attacks. This means that individual sender network devices must incur significant costs for such measures.
According to the first aspect of the present invention, a network device connected via a bus with a plurality of network devices comprises: an authentication unit that executes authentication based upon message authentication information included in data transmitted, via the bus, by one of the plurality of network devices acting as a sender device; and a processing unit that invalidates the data upon determining that unauthorized data have been transmitted by the sender device impersonating another network device among the plurality of network devices if the authentication fails.
According to the second aspect of the present invention, a network system comprises: a network device according to the first aspect; and the sender device.
The following is a description of preferred embodiments of the present invention. The explanation focuses on operations of devices and systems on a network such as an onboard network installed in a mobile body such as a vehicle, data being transmitted/received through the network. While the present invention is ideal in applications in an onboard network device and a data transmission/reception system in an onboard network, it may be otherwise adopted in a network device and a network system other than an onboard network device and a data transmission/reception system in an onboard network.
The GW 303, which may be connected to a plurality of network links 301, assigns an ID to each link and is thus able to identify a specific link for which internal processing is being executed. The ID enabling such identification will be referred to as a link ID. The link ID may be otherwise referred to as a channel ID or a domain ID.
The topology example presented in
In the example presented in
The GW 303 is not necessarily physically separated from an ECU 302. For instance, the present invention may be adopted in conjunction with ECUs having a GW function or a GW having an ECU function.
In the following description of the embodiment, network protocol conversion is carried out at the GW 303 but is not carried out at the SW 304. The present invention may also be adopted either in the GW 303 or in the SW 304.
In the following description, devices such as the GW 303, the ECUs 302 and the SW 304, which are connected via network links, may be otherwise referred to as network devices.
Communication is carried out via network links 301 in compliance with a network protocol (procedure), which will be described later. In compliance with the protocol to be described later, communication is carried out by appending a header, which is determined in the protocol, to data (hereafter referred to as communication data or payload) to be transmitted/received between network devices.
An ECU 302 executes mobile-body control processing based upon data received through the network so as to, for instance, output a control signal to the hardware, output a control signal and the information to the network and alter the internal state.
The use of the security module 407 makes it possible to protect the key information from unauthorized access and reduce the processing load such as authentication. However, if it is not critical to assure strict tamper resistance, the security module 407 will not be necessary.
In conformance to the CAN or CANFD protocol, communication is carried out by network devices connected on a common network link, each network device setting a bus signal to the dominant value (0) at the time of transmission and each network device detecting the bus signal to be either in the dominant state (0) or the recessive state (1) at the time of transmission or reception.
An SOF (Start Of Frame) indicates the start position of the frame. It is also used for frame synchronization.
In an identifier (ID) field, the ID of the particular CAN data (hereafter referred to as a CAN ID) is indicated. The data type of the CAN data can be identified based upon the CAN ID.
The ID field and an RTR (Remote Transmission Request) bit are referred to as an arbitration field and this field is used for bus arbitration.
An RB1 and an RB0 are reserved bits, where the dominant value is consistently input in the example presented in
A data length code indicates the length (number of bytes) of the data in a data field.
The content of the data to be transmitted are indicated in the data field. Data equivalent to N bytes are transmitted by assuming a variable length. The data field may otherwise be referred to as a payload.
CRC results for the frame are entered in a CRC field. When the frame is transmitted, the recessive value is sustained in a CRC delimiter bordering on an acknowledge field.
When a receiver node (network device) has received the data successfully, the acknowledge bit in the acknowledged field is set to the dominant value in response. A response pertaining to data having been transmitted is thus returned.
An EOF (end of frame) indicating the terminating end of the frame is a 7 bit recessive field. Data are transmitted and received by adopting the format described above.
Various types of control are executed for a vehicle via an onboard network engaged in processing whereby, for instance, a particular network device regularly transmits a value (e.g., a sensor value) obtained by the particular network device through measurement, to the network and a state indicated by the value is reported to another network device.
In a CAN, arbitration is carried out in the arbitration field when data are transmitted. When data transmissions start simultaneously, a network device with lower priority (with a greater CAN ID (i.e., the network device having transmitted fewer dominants during the arbitration)) suspends the transmission. This means that even when individual network devices attempt to transmit data cyclically, a suspension may occur as a result of the arbitration or another network device may already be transmitting data when a data transmission starts. In such a case, the transmission cycles may become offset. This phenomenon, in which a plurality of network devices attempt to transmit data with overlapping timing or in which the bus is already being used when a network device attempts a data transmission, will be referred to as a collision.
Next, the CANFD protocol will be explained. Since the CANFD is a protocol that is an extended version of the CAN, the following explanation will focus on the difference from CAN.
An EDL is a bit indicating that the CANFD format is assumed. Namely, the EDL set to the recessive value indicates that the transmission data assume the CANFD format and the EDL set to the dominant value indicates that the transmission data assume the CAN format.
A BRS indicates whether or not the bit rate is to be switched during data transmission. The BRS set to the recessive value indicates that the bit rate is to be switched during the data phase, whereas the BRS set to the dominant value indicates that the bit rate is not to be switched.
An ESI indicates an error status of the network device that is to transmit data. The ESI set to the dominant value indicates that the network device to transmit data is in an error active state, whereas the ESI set to the recessive value indicates that the network device to transmit data is in an error passive state.
In addition, the method adopted for data length coding, in the data length code field, in the CANFD protocol is different from that in the CAN protocol.
The CRC field in the CANFD protocol assumes a variable length. In other words, the field length, which changes in correspondence to the data length, takes on a 17-bit field length or a 21-bit field length. In addition, the CANFD protocol accommodates 2 bit data in the CRC delimiter field and the acknowledge field.
An RB1 and an RB0 are reserved bits, where the dominant value is consistently input in the example presented in
The arbitration field and the control field in the CAN protocol may otherwise be referred to as a header.
The CRC field is included in order to enable verification as to whether or not a signal contains any error. If data having been received by the recipient match the content having been transmitted by the sender and the content resulting from a CRC operation executed at the sender, the identical results are indicated through a CRC operation executed on the recipient side. These measures allow the recipient to decline data reception (to discard the data) if the received data do not match the transmission data that the sender has intended to send (in the event of a CRC error).
In a preamble field and an SFD (Start Frame Delimiter) field, data assuming a fixed pattern, used to achieve communication synchronization, are entered. In a destination address field, the address of the data transmission destination is indicated, whereas in a source address field, the address of the data transmission source is indicated. In a type field, a value indicating a upper layer protocol type is entered, with the length indicating the length of the data field (octet: in 8-bit units), whereas the payload of the data is entered in a data field. An FCS (Frame Check Sequence) is a field for frame error detection where operation results similar to the CRC operation results explained earlier are held. The numerical values in the figures each indicate the length (in octet units) of the corresponding field.
The IP (Internet protocol) represents an example of a upper layer protocol to the Ethernet and CAN protocols. Data structures that may be adopted for data in conformance to the Internet protocol are shown in
Upper protocols to the IP protocol include the TCP protocol and the UDP protocol.
Within the layered structure constituted with the plurality of protocols described above, communication may be carried out by using, for instance, the TCP/IP/Ethernet protocols. Under such circumstances, communication data to be transmitted are appended with the TCP header, the IP header and the Ethernet header and all the data are joined or split as needed before they are transmitted.
By comprehending the layered structure, the exact positions in the received data at which the information identifying the sender and the information identifying the content of communication are inserted and the position of the data needed for authentication can be accurately ascertained.
The protocols described above include fields with specific bits indicating a predetermined value or a value within a predetermined range. Such a specific bit may be, for instance, a reserved bit. An instance of any of such bits indicating a value other than that defined in the particular format will be referred to as a format error.
In addition, a bit stuffing rule, whereby a different value is taken after a given value is sustained over five consecutive bits, is adopted in the CAN protocol so that the same value is not consecutively taken for six bits or more during normal communication. An infringement of this stuffing rule will also be referred to as a format error.
Furthermore, a manifestation of a pattern other than a predetermined pattern (e.g., serial electrical potential values are indicated four times in a row), attributable to the modulation method adopted in the physical layer or the coding method adopted in the data link layer, will also be referred to as a format error.
When data are transmitted in conformance to any of the protocols described above, the sender transmits each signal by controlling the level (1, 0) of the electrical potential or by controlling the level of the electrical potential differential between twisted-pair cables, and the recipient receives signals by making a decision under similar control. In such a data transmission, a dominant signal status, as defined in the protocol physical layer, may manifest.
For instance, in the CAN protocol, the electrical potential is set to 0 or the potential differential is set to 0 in the dominant state (0), and if any of the network devices connected to a link grounds a signal line thereof, the other network devices cannot issue the recessive value (1). For this reason, data indicating the recessive value can be overwritten, whereas data indicating the dominant value cannot be overwritten.
In the Ethernet protocol, which adopts a different structure for the physical layer, the electrical potential being transmitted can be set to an overwritable value or an nonoverwritable value by likewise grounding a signal line so as to allow or disallow a data overwrite.
The filter table 505 is a management table used to determine whether or not data transfer via the bus is permitted based upon whether or not the target data have a match in the data IDs 1201. Filter tables 505 are also installed in the GW 303 and the SW 304 where data transfer processing is executed to transfer data with a matching data ID 1201 from one network link 301, i.e., the uplink, to another network link 301, i.e., the downlink. The filter tables 505 installed in the GW 303 and the SW 304 each function as a forwarding table that indicates, based upon the sender Link ID 1202 and the recipient Link ID 1203, a specific uplink through which data matching a specific data ID 1201 arrive and a specific downlink through which the data depart. The filter tables 505 installed in the GW 303 and the SW 304 also each function as a protocol conversion table that indicates, based upon the sender protocol 1204 and the recipient protocol 1205, whether or not protocol conversion must be executed as the data, having arrived through the uplink, depart through the downlink.
Examples of the data ID 1201 include CAN IDs in the CAN protocol and the CANFD protocol, MAC addresses in the Ethernet protocol, IP addresses in the IP protocol, port number in the TCP protocol or the UDP protocol, and a combination of different types of information listed above. For instance, the communication route and the engaged service can be identified based upon the port number in combination with the source and destination IP addresses.
The authentication target flag 1206 indicates whether or not to execute authentication processing, which will be described later, for the data being transferred via the bus. “Yes” indicates that authentication is to be executed for the data, whereas “No” indicates that the data are not to undergo authentication processing. When data bearing all data IDs are authentication targets or only data entered in the key management table 504 to be described later are designated as authentication targets, the authentication target flag 1206 is not required.
The GW 303, having a filter table 505 installed therein, detects, based upon the filter table 505, data being transferred between ECUs 302 connected to a common network link 301 via the bus or detects data transferred over two network links 301. The GW 303 references the sender protocol 1204 and the recipient protocol 1205 registered in the filter table 505 and executes data protocol conversion as needed during the data transfer processing. An ECU 302 having a filter table 505 installed therein does not engage in data transfer processing from one network link 301 to another network link 301. This means that as long as the protocol used in the single network link 301 to which the particular ECU 302 is connected is set, the filter table 505 does not need to hold information indicating the sender link IDs 1202, recipient link IDs 1203, sender protocols 1204 and recipient protocols 1205. If the SW 304 does not execute protocol conversion when data are being transferred from one network link 301 to another network link 301 and a predetermined limited protocol is used in the plurality of network links 301 to which the SW 304 is connected (e.g., only the Ethernet protocol is used in the plurality of network links), the filter table 505 in the SW 304 does not need to hold information indicating sender protocols 1204 and recipient protocols 1205.
In order to enable data detection processing via the communication interface 402, the processor 401 reads filter information registered in correspondence to data IDs assigned during the design phase to indicate, for instance, transfer-requiring data, from the filter table 505 and sets the filter information thus read out in the communication interface 402. The communication interface 402, with the filter information indicating specific data IDs set therein, monitors signals transferred from sender ECUs 302 to recipient ECUs 302 via network links 301. If data bearing a data ID matching a data ID specified as an authentication target are being transferred on the network links 301, the communication interface 402 hands over the data together with the data ID to the processor 401 so as to enable the processor 401 to execute authentication processing. If the authentication is to be executed in the communication interface 402, the data and the data ID do not necessarily need to be handed over to the processor 401.
During the data detection processing, the communication interface 402 is able to register a data ID other than the data IDs stored in the filter table 505, as explained earlier as an example, by adding the new data ID into the filter table 505. The communication interface 402 may register, for instance, a CAN ID in the CAN protocol or an Ethernet address with a mask specification (which allows any value to be received for a specific bit) into the filter table 505 so as to be able to detect data corresponding to a data ID within a specific range, or it may mask all the bits in a CAN ID or an Ethernet address so as to be able to detect all the data.
In response to a data transfer processing instruction issued by the processor 401, input together with transfer target information to the communication interface 402 disposed in the GW 303 or the SW 304 engaged in data transfer processing for data transferred from the uplink to the downlink, data obtained by appending necessary information to the transfer target information and assuming a data format conforming to the network protocol are put out through a network link 301.
In addition, the communication interface 402 processes the specified data as well as detecting and transferring the specified data. For instance, if the current value of a signal on a network link 301 is 0 in digital representation (e.g., if the electrical potential at the particular network link 301 is lower than a reference value), the communication interface 402 executes an operation for rewriting the signal value to 1 in digital representation (e.g., indicating that the electrical potential at the network link 301 is higher than the reference value). It also executes a reverse operation for rewriting the current signal value of a signal on the network link 301 from 1 to 0 in digital representation. These operations are also executed when returning a communication response (e.g., an Ack (Acknowledgement)).
Examples of impersonation or spoofing, prevention of which is a primary objective of the present invention, will be described next in reference to
The data tampering at the ECU_A is not the only example way of an impersonation attack. An impersonation attack may be otherwise carried out by directly connecting an unauthorized device to the network link 301 or by posing as a device connected to the ECU to transmit false information.
An impersonation attack may be prevented through authentication of data (a message). The term “authentication” refers to a technology whereby the sender creates a signature (electronic signature) by using undisclosed information (hereafter referred to as a key or key information) and the recipient confirms that the data were sent by the right sender by verifying the signature.
For instance, the data may be verified as un-tampered data having been transmitted by the right sender by authenticating a signature (MAC: Message Authentication Code) as message authentication information. Procedures through which this authentication may be carried out are shown in
Next, the hash is encrypted (encoded). The key (sender key) held by the sender and accompanying information are used for purposes of encryption. A signature created by encrypting the hash with the sender key is then transmitted together with the data.
The term “accompanying information” is used to refer to information used separately from the key in order to prevent, for instance, a bias in the signature being created. An initialization vector (IV) may be used as such accompanying information. The accompanying information includes information transmitted in advance through a key exchange procedure to be described later or the like or appended to the signature data, so as to be shared by the sender side and the recipient side. The accompanying information may be encrypted together with the data or it may remain unencrypted.
On the recipient side, a signature is generated for the received data through a procedure identical to that having been followed on the sender side. At this time, identical processing is executed by using a recipient side key that is identical to that having been used by the sender and thus, identical signature data are obtained.
If the data or the signature has been falsified (tampered), the two signatures will not match. Thus, it is possible to verify whether or not the target data have been tampered with, which ultimately makes it possible to verify whether or not impersonation of the sender has occurred.
As an alternative to the procedure described above, a hash operation and encryption may be executed simultaneously (HMAC: Hash-Based MAC). In this case, the sender key may be, for instance, added (XOR) to the data undergoing the hash operation, so as to create a signature. Subsequently, a similar operation is executed on the recipient side to generate a signature, and authentication can be achieved by comparing the signatures. If the signatures match, an authentication OK decision is made, whereas if the signatures do not match, an authentication NG decision is made.
In addition, while the operations in the examples described above are executed by adopting a common key method with the sender side and the recipient side sharing the same key information, the present invention may be adopted in processing that does not require a common key (symmetric keys) executed as shown in
Authentication similar to that shown in
Since the processing load of an asymmetric key operation is normally high, it is difficult to assure responsive performance or real time performance. For this reason, a common key should be shared in advance through the key exchange procedure to be described later.
The data operation is executed by appending various types of data along with the data required for communication to the data. For instance, a timestamp (time point information indicating, for instance, the time of transmission) may be appended to the data and, in this case, a replay attack by an impersonator re-sending the same data to pose as an authorized sender can be prevented. In addition, a random number may be appended to generate different encrypted data each time. In this case, it will be difficult to guess key information. Furthermore, it is possible to verify that data are transmitted in the correct sequence (timing) based upon a counter appended to the data.
No particular processing needs to be executed for the hash operation. If no hash operation processing is executed, the operation load is lowered, although a high level of information mixing cannot be achieved.
Signed communication data do not need to include all the information corresponding to the fields listed above. For instance, the information in the signed/unsigned field may be included in the header in an upper protocol. In more specific terms, the information in the signed/unsigned field may be defined in the type field in the Ethernet header or the protocol field in the IP header protocol as a signature-based protocol. IA reserved bit in the CAN protocol or the CANFD protocol may be used to indicate whether or not the authentication is required. As an alternative, specific combinations of senders, recipients and relevant services to be involved in signed communication data transmission may be determined in advance. These measures eliminate the need for the signed/unsigned field. Since they make it possible to ascertain whether or not the authentication is required prior to the payload reception, faster processing is achieved (the information indicating whether or not authentication is required is received with relatively advanced timing and it can be determined that no decision-making for certain payloads is required). In addition, they enable coexistence with legacy devices (because of data bearing an unauthenticated header in conformance to an incorrect protocol, the data are automatically discarded by the legacy devices).
Furthermore, it is not necessary that each set of transfer data invariably include information indicating the communication data length and the signature length. For instance, the need for the information indicating the communication data length and the signature length can be eliminated by determining in advance fixed values for the communication data length and the signature length, before signature-based communication actually takes place, and carrying out the communication with the fixed values determined. In this case, the volume of data being communicated can be reduced.
The margin field 1406 and the authentication Ack field 1407 are not required unless their fields are used because of the usage described later.
Moreover, the signature data do not need to be included in all the data being communicated, and instead, a signature may be generated for each communication unit in an upper layer. For instance, when original 1 MB data are divided into a plurality of packets, only the last packet will need to include a signature. Through these measures, it is possible to reduce the volumes of arithmetic operations that must be executed on the sender side and on the recipient side.
For successful authentication processing, key management must be assured both on the sender side and on the recipient side. Using the same key continuously over an long period of time, in particular, is bound to raise the security risk since a key information leak is more likely to occur. For this reason, it is desirable to update a temporary key (session key) with every specific interval, instead of continuously using the same key.
Accordingly, two ECUs 302, for instance, exchange key information through key exchange processing. In the key exchange processing, one ECU 302 may encrypt a session key with a public key provided by the other ECU 302 and transmit the encrypted session key to the other ECU 302. The other ECU 302, having received the encrypted session key, may then obtain the session key by decrypting the encrypted session key with its own private key. The session key, having been exchanged as described above, is then utilized as the sender key and the recipient key in the authentication processing.
In another example of key exchange processing, the pair of keys, i.e., the public key and the private key, is not used. Instead, an inherent key (master key) is embedded in the ROM 404 or the security module 407 in each ECU 302 at the time of production or maintenance, and the master key information is exchanged at the time of production or maintenance with each ECU 302 with which the particular ECU 302 is to engage in communication. When the product is used, a session key encrypted by using the individual master keys is shared.
Through either of these methods, the key information or various types of information pertaining to the key information (such as the validity period for the key, the initialization vector, the encryption target data ID and the like) can be exchanged securely. It is to be noted that while an explanation has been given in reference to ECUs 302, the concepts described above are all applicable to the GW 303 or the SW 304.
The data IDs 1501 are similar to the data IDs 1201 in the filter table 505. Based upon the information in a data ID 1501 indicating the communication route, the engaged service and the like pertaining to a specific set of data corresponding to the data ID 1501, the key corresponding to the particular data ID 1501 can be determined.
In addition, since the protocol 1502 is indicated, the specific positions at which the communication data and the signature are included in the received data can be ascertained. Information matching the protocol 1502 is also included in the filter table 505, an example of which is presented in
The key data 1503 may be the immediate data value of the key information, a key ID identifying the key or a pointer indicating the key. When the key data 1503 is the key ID, the data may be transmitted to the security module 407 to have the signature verified by specifying the key ID. These measures enable highly secure management of the key data without running the risk of key data leak, and also make it possible to perform authentication without subjecting the processor to an excessive load.
In the field for the key validity period 1504, the validity period for the particular key is entered. Each time the key is updated, the validity period is also updated as necessary. Certain keys may be valid indefinitely. If no key has been obtained, information indicating that a key is yet to be obtained (e.g., information indicating the absolute past time: ALL0, for instance) may be entered. Through these measures, the need for the key information valid flag 1505, to be described later, is eliminated.
The key information valid flag 1505 indicates whether or not the corresponding key information is valid. A key invalid state may manifest when, for instance, the key information corresponding to the specific data ID has not been exchanged with the sender network device or when the key information has been invalidated due to unauthorized access or an attack.
The communication data length 1506 and the signature length 1507 provide information as provided in the communication data length 1402 and the signature length 1405 in the signed communication data format. With the information for the communication data length 1506 and the signature length 1507 held in the key management table 504, processing for obtaining the communication data length 1402 and the signature length 1405 in the signed communication data format does not need to be executed each time communication is carried out and thus, the processing load can be lightened.
In reference to
First, the communication interface 402 in the GW 303 detects authentication target data, from all the data transferred via the bus through the network links 301, based upon the filter information set by the processor 401. Subsequently, the control unit 501, having been notified of the authentication target data detection by the communication interface 402, references the filter table 505 and the key management table 504 to make a decision as to whether or not the data ID of the data being transferred matches a data ID in these tables with the corresponding authentication target flag set to “Yes” (step S101). It is to be noted that since the communication interface 402 detects authentication target data based upon the filter information set by the processor 401, it is not strictly necessary to reference the filter table 505 or to reference the data IDs in the key management table 504 in step S101. In step S101, a negative decision is made for data, the data ID of which does not match any in the tables or data with the authentication target flag set to “No”. If a negative decision is made in step S101, the data authentication processing in step S102 is not executed. An affirmative decision is made in step S101 for data with the data ID thereof matching a data ID in the tables and the authentication target flag set to “Yes”. The control unit 501 references the key management table 504 and executes data authentication processing (step S102) based upon the key corresponding to the authentication target data for which an affirmative decision has been made in step S101. As explained earlier, the authentication processing is executed to determine whether or not the data are being transferred by a party posing as the sender ECU 302.
Subsequently, if the authentication results indicate OK (successful authentication), an affirmative decision is made in step S103. In this case, the control unit 501 hands over the authenticated data to the communication interface 402 without executing any special processing on the data. At the recipient ECU 302, which has received the handed-over data, unencrypted communication data 1404 shown in
As described above, by verifying the data authentication results and processing the data to, for instance, invalidate them if the authentication results indicate NG transfer of unauthorized data through impersonation of the sender device can be prevented. It is to be noted that the authentication processing executed as described above in reference to
The communication interface 402 engaged in data processing, invalidates data by processing the data so as to enable the recipient ECU 302 receiving the data being transferred to detect authentication failure. Data may be invalidated in, for instance, the CAN protocol or the CANFD protocol by generating the dominant value continuously over 6 bits or more in the frame being transferred to render the particular frame as an error frame. Through these measures, the data being transferred can be invalidated.
As an alternative, the authentication Ack 1407 carrying the authentication result information in the signed communication data format, initially set to the recessive value by the sender, may be switched to the dominant value, so as to disallow an overwrite. The recipient network device, having checked the authentication Ack indicating the dominant value, is able to verify that the data have been invalidated due to failed authentication.
In addition, as the authentication Ack data are altered, the CRC operation results are rendered incorrect, and thus, the data, now deemed error-containing data, can likewise be invalidated.
As a further alternative, the dominant value (electrical potential 0) may be taken as a fixed value so as to disable communication over a predetermined length of time. In this case, the data can be invalidated by disabling subsequent communication.
In the Ethernet protocol, too, a signal assuming a pattern different from the transmission pattern assumed at the sender may be generated so as to cause a reception error on the recipient side (a decryption error or a frame-check sequence error) and ultimately, to invalidate the data.
In addition, as in the CAN protocol and the CANFD protocol, data may be invalidated in the Ethernet protocol by altering the information in the authentication Ack in the signed communication data format to information indicating authentication failure or by controlling the bus potential so as to disable communication over a predetermined length of time.
As described above, information indicating the overwritable value is transmitted by the sender in the authentication Ack, and the network device executing authentication overwrites the information in the authentication Ack included in unauthorized data to a value that does not allow a subsequent overwrite. This system does not allow the attacker to engage the sender network device in order to execute bus potential control and does not allow the attacker to engage the sender network device in order to transmit normal data by preventing the network device executing authentication from executing the overwrite control, for the remainder of the transfer data being continuously overwritten because of the data deemed unauthorized. Thus, the unauthenticated data can never be erroneously recognized as normal data by the recipient network device.
The data having been invalidated as described above are discarded as error data at the recipient network device which has received the invalidated data, and consequently, execution of processing using unauthorized data at the recipient network device can be prevented.
Unauthorized data transfer can be effectively prevented in the system described above, in which another network device authenticates data having been transmitted by a network device and data having failed authentication are processed for invalidation. In particular, by engaging a network device both in the authentication processing and in the data processing for data being transferred via a network link, the need for authentication processing to be executed at a plurality of data recipient network devices is eliminated. The network device achieved in the embodiment improves the reliability with which an impersonation attack occurring on the network is detected and makes it possible to execute effective protective operations against the attack.
An example in which the network device that engages in authentication processing invalidates all transfer data with data formats that do not match expected formats, as well as the invalidation to transfer data having failed authentication, at the time of transfer data detection, will be described next. In reference to
The term “data format” in this context refers to a format that includes a data ID, a network link ID assigned to the bus to which the data identified by the data ID are transferred, a data header format defined by the protocol above described, a counter indicating the sequence in the data, a timestamp indicating the timing with which the data are transmitted, a key validity period, a communication data length assumed when the data include the signed communication data for the authentication to be explained earlier, a signature length assumed when the data include the signed communication data and the like.
In step S201, the control unit 501 executes the data format decision-making processing for the detected data that are being transferred, and upon deciding that the data format of the data matches an expected data format (“Yes” in step S201), it proceeds to execute the processing in the following step S101 as explained earlier. In more specific terms, if the data format of the detected transfer data matches the expected data format, there are various conditions such as; the data ID 1201 and the recipient link ID corresponding to the transfer data are held in the filter table 505, the authentication target flag for the transfer data is set to “Yes” and the transfer data correspond to a data ID 1501 in the key management table 504, the transfer data correspond to the protocol 1502 and the key data 1503 held in the key management table 504, and the key validity period 1504 corresponding to the transfer data indicates that the key for the transfer data is still valid, the key valid flag 1505 for the transfer data indicates “valid”, the communication data length of the transfer data matches the communication data length 1506, and the signature length in the transfer data matches the signature length 1507.
The control unit 501 may decide that the data formats match based upon criteria other than those listed above. Such criteria may include; the counter, as the sequence of the transfer data, included in the communication data indicates consecutive values and the difference between the value indicated in the timestamp as the timing with which the transfer data are transmitted and the current time point is equal to or less than a predetermined value.
It may be more desirable to assign the communication interface 402, rather than the control unit 501, to perform the data format decision-making processing based upon some of the decision-making criteria above described which is used for deciding whether or not the data formats match. In such a case, the results of the criteria-based decision-making having been executed by the communication interface 402 may be reported to the control unit 501.
If the data formats do not match (if the data format decision-making results indicate failure) (“No” in step S201), the control unit 501 engages the communication interface 402 in data invalidation by issuing a data processing instruction for the communication interface 402 (step S104) so as to process the data being transferred, as it does when an authentication NG occurs (“No” in step S103) in the first embodiment and in the current embodiment. It is to be noted that as has already been explained in reference to the first embodiment, the data processing executed by the communication interface 402 in response to an instruction issued by the control unit 501 in step S104 may instead be executed by the control unit 501.
In the embodiment, all the data that may be transferred through the network link where the network device detects authentication target data are registered in the filter table 505 and the key management table 504. These tables compile a white list (a list of all the safe data), which makes it possible to prevent transfer of any data not listed in the filter table (transfer of unauthorized data).
As described above, the control unit 501 makes a decision in step S201 in
Next, an example in which data are invalidated as a GW 303 or an SW 304 relays data being transferred from one network link 301 to another network link 301 will be described. While the following explanation is given by assuming that the network device achieved in the embodiment is a GW 303, the present invention may be adopted in a similar manner in an SW 304.
The GW 303 may relay data transferred from the network link 301a to which the sender network device is connected, to the network link 301b, different from the network link 301a, to which the recipient network device is connected, as illustrated in
Subsequently, the remainder of the data is continuously input from the network link 301a to the GW 303 and just as the signature data included in the data are input to the GW 303, the data authentication processing is executed in the GW 303 as has been described in reference to
Through this processing, data can be transferred with low latency simply with header verification alone and any unauthorized data can be invalidated if it is subsequently decided that authentication results indicate failure.
Next, an example in which a network device adopting the present invention is verified to be in operation will be described. In one method that enables such verification, the control unit 501 in the sender network device creates the authentication Ack information as overwritable information (e.g., indicating the recessive value (1) in the CAN protocol), the communication interface 402 executes CRC operation by using information with the authentication Ack value having been overwritten (e.g., indicating the dominant value (0) in the CAN protocol) and then the data are transmitted via the communication interface 402. This processing will be described in detail in reference to
The control unit 501 in the network device having detected data having been transmitted from a sender network device and being transferred to a recipient network device authenticates the data in step S102 in much the same way as that in the first embodiment. If it is decided in step S303 that authentication has been successful (authentication OK, an affirmative decision is made in step S303), the control unit 501 issues an instruction for the communication interface 402 in step S304 so that the information in the authentication Ack is overwritten with an nonoverwritable value (e.g., the dominant value (0) in the CAN protocol). If the authentication results indicate failure (if a negative decision is made in step S303), the data are not processed. Namely, while data are being transferred, the control unit 501 in the authenticator network device processes the transfer data so as to indicate that the particular data have undergone authentication by overwriting the authentication Ack in the transfer data.
The recipient network device, having received the transfer data, is able to confirm that the data have been successfully authenticated by checking the authentication Ack to verify that it has been overwritten or by verifying that the CRC operation results match the value indicated in the CRC field. Furthermore, with the authentication Ack in the received data having been overwritten, the recipient network device is also able to verify that the authenticator network device is in the normal operating state. The recipient network device, having checked the authentication Ack and confirmed that it has not been overwritten or having verified that the CRC operation results do not match the CRC field value, determines that the received data have not been successfully authenticated by the authenticator network device and that the received data are unauthorized data or the authenticator network device is not in the operating state. Upon making these determinations, the recipient network device discards the received data.
Through these measures, it is ensured that unauthorized data, transmitted under circumstances in which the authenticator network device is not in the normal operating state or the signature operation cannot be completed in time, will not be erroneously judged as authenticated data on the recipient side and that the recipient network device will be prevented from being engaged in operation on an erroneous basis. It is to be noted that the processing for indicating, based upon the authentication Ack, that the authenticator network device is in the normal operating state may be executed while normal data transfer is underway. However, it is more desirable to execute this processing in a diagnostic mode selected when normal data transfer is suspended for maintenance.
In a variation of the embodiment, in which the authenticator network device is verified to be in the normal operating state, data with the dominant value set in the margin 1406 in the signed communication data format shown in
In the alternate method described above, neither the sender network device nor the recipient network device executes CRC calculation by incorporating the signal value set in the margin 1406, and instead, the CRC calculation is executed without referencing the signal value set in the margin 1406. As a result, even if the authenticator network device executes authentication processing by using the margin 1406, CRC calculation can be executed for the data including the margin 1406.
In another variation, the control unit 501 of the authenticator network device may transmit information indicating that authentication operation is being correctly executed by the control unit 501 to the sender network device or the recipient network device via a path other than the network links through which the data are being transferred from the sender network device to the recipient network device, e.g., via a network link used for maintenance purposes or via a dedicated line. In this situation, information indicating that the authenticator network device is in the operating state may be provided in the form of fixed-form data that are transmitted on a regular basis, in the form of the signature data explained earlier, in the form of data transmitted with timing matching the data authentication timing and the like, as well as in the form of data assuming the data format described above. As explained above, by verifying, via a plurality of network links or a dedicated line, the operating state of the authenticator network device, the individual network devices are able to correctly confirm that the authenticator network device is in the normal operating state even if one of the paths comes under attack.
A variation in which a stream cipher is used for encoding a signature being generated in order to reduce the processing load of signature generation and authentication will be described. Examples of stream ciphers include MUGI (registered trademark), MULTI-S01, RC4 (registered trademark) and Enocoro (registered trademark). A stream cipher makes it possible to encrypt and decrypt data in units of bits, and thus enables execution of high-speed processing. A signature may be generated as shown in
Either no hash operation is executed in conjunction with a stream cipher, or a hash operation is executed in conjunction with a stream cipher in units matching the bit units or the byte units in which stream ciphering is carried out. The use of a cipher, such as MULTI-S01, having a data mixing function and a data tampering detection function, eliminates the need for the hash operation processing.
By adopting a cipher that enables serial processing, such as a stream cipher, in the encryption process, high-speed decision-making is made possible and, as a result, the signature operation can be completed with ease while the data transfer is underway.
The network device achieved in any one of the embodiments and variations thereof described above, connected via a bus with a sender network device and a recipient network device engaged in specific types of control for a vehicle, includes a control unit 501 and a communication interface 402. Based upon a signature included in the transfer data being transferred via the bus from the sender network device to the recipient network device, the control unit 501 authenticates the transfer data so as to determine whether or not the data are being transferred through the impersonation by the sender network device. If the data have been transferred by the sender network device impersonating another network device and thus the authentication fails, the communication interface 402 invalidates the data while the data transfer is underway. As a result, unauthorized data transfer is prevented. This system eliminates the need for security measures such as authentication processing and key management that would otherwise be required at the recipient network device, and ultimately enables partial networking, which allows the individual network device to be started up only when needed.
The network device achieved in the second embodiment further includes a filter table 505 referenced to determine whether or not transfer of specific data via the bus is allowed and a key management table 504 for managing keys used by the control unit 501 when authenticating data. The control unit 501 in this network device makes a decision during a data transfer as to whether or not the filter table 505 and the key management table 504 hold information corresponding to the data being transferred. The communication interface invalidates the data while the data transfer is underway if the control unit 501 decides that at least one of the filter table 505 and the key management table 504 does not hold information corresponding to the transfer data as well as if the authentication by the control unit 501 has failed. As a result, transmission of unauthorized data in a data format that does not match the data format indicated in the tables is prevented with a lower processing load compared with the processing load incurred when authentication processing is executed.
The control unit 501 in the network device achieved in the fourth embodiment executes a process for the data being transferred so as to indicate that the authentication has been executed by the control unit 501. Through these measures, the authenticator network device can be verified to be in the normal operating state by another network device.
The use of a signature generated with a stream cipher in the encoding process, executed as part of the authentication processing, enables faster decision-making, which, in turn, makes it possible to complete the signature operation while the data transmission is underway.
The above-described embodiments are examples, and various modifications can be made without departing from the scope of the invention.