Control area network authentication

US 9,231,936 B1
Filed: 02/12/2014
Issued: 01/05/2016
Est. Priority Date: 02/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating messages, comprising:

receiving, by a receiving device, a data message from a sending device, wherein each receiving and sending device is assigned one of two or more trust levels;

receiving, by the receiving device, an authentication message from the sending device, the authentication message comprising an authentication code;

determining a message identifier for the data transmission, wherein each receiving device is associated with at least one of two or more message identifiers, the two or more message identifiers being assigned to one of two or more message groups, wherein a particular message identifier is assigned to one of the two or more message groups based on a device with the lowest trust level among the receiving and sending devices that use that particular message identifier;

authenticating the received data message by using a group key assigned to the receiving device to verify the authentication code.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for authenticating messages in a control area network is described. In one embodiment, a message identifier for a data message is ascertained. Each device is associated with one or more message identifiers. The data message is sent from a first device to a second device. The data message is associated with the ascertained message identifier. An authentication code computed by the first device is sent to the second device. The authentication code is sent by the first device in the data message or in an authentication message.

52 Citations

View as Search Results

18 Claims

1. A computer-implemented method for authenticating messages, comprising:
- receiving, by a receiving device, a data message from a sending device, wherein each receiving and sending device is assigned one of two or more trust levels;
  
  receiving, by the receiving device, an authentication message from the sending device, the authentication message comprising an authentication code;
  
  determining a message identifier for the data transmission, wherein each receiving device is associated with at least one of two or more message identifiers, the two or more message identifiers being assigned to one of two or more message groups, wherein a particular message identifier is assigned to one of the two or more message groups based on a device with the lowest trust level among the receiving and sending devices that use that particular message identifier;
  
  authenticating the received data message by using a group key assigned to the receiving device to verify the authentication code.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein:
    - the group key assigned to the sending device is assigned to the sending device based at least in part on a trust level associated with the sending device, wherein the authentication code is computed based at least in part on the group key assigned to the sending device; and
      
      the group key assigned to the receiving device is assigned to the receiving device based at least in part on a trust level associated with the receiving device.
  - 3. The method of claim 1, further comprising:
    - obtaining a received counter value from the data message;
      
      determining a local counter value for the message identifier; and
      
      upon determining that the local counter value for the determined message identifier varies from the received counter value, ignoring the data message.
  - 4. The method of claim 1, further comprising:
    - storing the data message in a receive buffer; and
      
      identifying the stored data message in the receive buffer based at least in part on a message identifier included in the authentication message.
  - 5. The method of claim 1, wherein the data message comprises a controller area network (CAN) bus data frame.

6. A computer-implemented method for authenticating messages, comprising:
- ascertaining a message identifier for a data message, wherein each receiving and sending device is associated with at least one of two or more message identifiers, wherein each receiving and sending device is assigned one of two or more trust levels;
  
  assigning each of the two or more message identifiers to one of two or more message groups, wherein a particular message identifier is assigned to one of the two or more message groups based on a device with the lowest trust level among the receiving and sending devices that use that particular message identifier;
  
  sending the data message from a first device to a second device, the data message being associated with the ascertained message identifier; and
  
  sending, to the second device, an authentication code computed by the first device, the authentication code being sent by the first device in the data message or in an authentication message.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6, further comprising:
    - assigning a trust level, from two or more trust levels, to the first device; and
      
      assigning a trust level to the second device.
  - 8. The method of claim 6, further comprising:
    - assigning a group key to a first message group, the group key being shared among all devices given the right to use any message identifier assigned to the first message group.
  - 9. The method of claim 6, wherein computing the authentication code comprises:
    - computing a hash value based at least in part on a counter value and a group key assigned to a message group associated with the ascertained message identifier; and
      
      truncating the computed hash value.
  - 10. The method of claim 9, wherein the counter value comprises a local message counter and a session number, the session number being incremented each time the first device boots up.
  - 11. The method of claim 6, wherein the second device attempts to verify the data message using a group key assigned to a message group associated with a message identifier used by the second device.
  - 12. The method of claim 6, wherein the data message comprises a controller area network (CAN) bus data frame.

13. A computing device configured to authenticate messages, comprising:
- a processor;
  
  memory in electronic communication with the processor;
  
  instructions stored in the memory, the instructions being executable by the processor to;
  
  ascertain a message identifier for a data message, wherein each receiving and sending device is associated with at least one of two or more message identifiers, wherein each receiving and sending device is assigned one of two or more trust levels;
  
  assign each of the two or more message identifiers to one of two or more message groups, wherein a particular message identifier is assigned to one of the two or more message groups based on a device with the lowest trust level among the receiving and sending devices that use that particular message identifier;
  
  send the data message from a first device to a second device, the data message being associated with the ascertained message identifier; and
  
  send, to the second device, an authentication code computed by the first device, the authentication code being sent by the first device in the data message or in an authentication message.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computing device of claim 13, wherein the instructions are executable by the processor to:
    - assign a trust level, from two or more trust levels, to the first device; and
      
      assign a trust level to the second device.
  - 15. The computing device of claim 13, wherein the instructions are executable by the processor to:
    - assign a group key to a first message group, the group key being shared among all devices given the right to use any message identifier assigned to the first message group.
  - 16. The computing device of claim 13, wherein the instructions to compute the authentication code are executable by the processor to:
    - compute a hash value based at least in part on a counter value and a group key assigned to a message group associated with the ascertained message identifier; and
      
      truncate the computed hash value.
  - 17. The computing device of claim 16, wherein the counter value comprises a local message counter and a session number, the session number being incremented each time the first device boots up.
  - 18. The computing device of claim 13, wherein the second device attempts to verify the data message using a group key assigned to a message group associated with a message identifier used by the second device, and wherein the data message comprises a controller area network (CAN) bus data frame.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Somasundaram, Shankar, Wang, Qiyan
Primary Examiner(s)
Rahman, Mohammad L

Application Number

US14/179,058
Time in Patent Office

692 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 9/32   including means for verifyi...

Control area network authentication

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Control area network authentication

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links