DE102016222599A1 - Method for securing data transmission in a data bus - Google Patents

Abstract

The invention relates to a method for securing the data transmission in a data bus, are transmitted over the data protocols of at least one transmitter to at least one receiver, wherein the data protocols for the transmission of physically transferable user data and a CRC checksum contain a data field with a predetermined length. According to the invention, it is provided that at least one secret data word is provided in the sender and the receiver, and the CRC checksum is calculated from the user data to be transmitted and the secret data word.

Description

The invention relates to a method for securing the data transmission in a data bus, via which data protocols of at least one transmitter are forwarded to at least one receiver, which contain at least one data field with a predetermined length and a security field with a CRC checksum.

For communication between control units in a vehicle, various bus systems are known, such as, for example, the known CAN bus (Controller Area Network). But there are also other bus systems that are also used in the automotive industry, such as LIN (Local Interconnect Network), FlexRay, MOST (Media Oriented Systems Transport), PSI5 (Peripheral Sensor Interface 5), as well as the well-known from the computer area Ethernet.

Via a CAN network, the information exchanged between control units in the vehicle is summarized in data telegrams or messages, so-called CAN frames, also referred to below as data protocols. Such a data protocol is composed of the following fields in a known manner: a start field, an arbitration field, a control field, a data field, a safety field (CRC field), an acknowledgment field (ACK Field), an end field (End of Frame), and an Inter Frame Space.

This CAN data protocol contains the information to be transmitted to the respective bus subscriber in the data field (data field), that is to say the user data which is present in the form of a bit sequence with a fixed number of bits. A CAN frame can transmit up to 64 bits of user data. This data can contain safety-relevant control commands or status data. Incorrectly transmitted, incorrectly transmitted or incorrectly received data can lead to dangers for the health and life of the vehicle occupants or other road users in modern vehicles.

The protection of the data communication is standardized in the context of software architecture AUTOSAR ^® (Automotive Open System Architecture) between the software components through a software-based E2E (End-to-End) -Schutzmechanismus realized. In this case, transmission errors are detected by means of checksums (CRC) and message counters (see Specification of SW-C End-to-End Communication Protection Library AUTOSAR Release 4.2.2).

In order to secure the payload data to be transmitted, for example against random transmission errors, via a CAN bus in accordance with this E2E protection mechanism, test data are sent in the data field, which indicate a corruption of the data. Usually - as stated above - CRC checksums and message counters are used, which are sent by the sending controller in the 64 bits of the data field of the CAN message. The data field of such a data log shows 2 which is composed of N 8-bit data field sections. The first data field section Data [0] contains an 8-bit CRC checksum, while the remaining data field sections Data [1] to Data [N] contain the physically transferable user data. According to the above-mentioned AUTOSAR specification, the second data field section Data [1] contains the state of the message counter - often consisting of 4-bit and 4-bit user data. When using the CAN bus as a means of communication between the control units of a vehicle N = 8, ie the length of the data field is 64 bits. If an 8-bit CRC checksum is transmitted together with the user data in such a data field, the maximum length of the user data to be transmitted can be 56 bits. If the status of the message counter is additionally transmitted, 52 bits remain for the user data.

After the transmission of such a data field according to 2 The receiving bus subscriber checks the correctness of the data transmission by calculating a CRC checksum from the transmitted data and, if appropriate, further additional information and comparing this with the CRC checksum in the received data protocol. If the calculated CRC checksum matches the CRC checksum transmitted in the data log, there is error-free data transmission.

These CRC checksums and message counters are sufficient to detect random corruption due to physical influences (e.g., hardware failure or interference) in the receiving controller.

The data protocols including the test data are not protected against malicious manipulation in the known CAN bus. An attacker who has found access to the CAN bus of a vehicle can send CAN messages with correctly calculated test data. These messages are from the others Control units in the vehicle considered valid. Thus, an attacker with access to the CAN network can also send messages that endanger the lives of the vehicle occupants.

With regard to this problem bspw. For example DE 10 2012 210 327 A1 a method for transmitting messages in a vehicle communication system, with which a manipulation or change over a data bus transmitted message from a transmitter to a receiver can be detected. For this purpose, a signature is determined for the message to be transmitted and received together as a signature message from the recipient. The verification of the signature by the recipient is carried out by redetermining the signature for the transmitted message and comparing it with the signature contained in the signature message.

The signature according to this DE 10 2012 210 327 A1 is generated from the message to be protected, from a first counter and from a second counter using a key known and secret to the sender and the receiver. A manipulation or change of a transmitted message can be detected, for example, when the message to be protected is transmitted in parallel to the signature message in a further, but unsigned message from the sender to the recipient. In the unsigned message, the message to be protected is transmitted in plain text. The calculation of the signature over the plaintext message then results in a different signature, assuming that the message protected by the signature message is not tampered with.

So according to this DE 10 2012 210 327 A1 the recipient can process the required value of the first counter to verify the signature, this is communicated to the recipient via a separate message. The value of the second counter is changed with each transmitted signature message in a predetermined manner and transmitted with the message to be protected to the recipient as a signature message.

If this known method according to the DE 10 2012 210 327 A1 When applied to a CAN bus, only part of the signature in the data field is transmitted together with the payload, since the full signature may be 128 bits or more or less depending on the algorithm used, but the data field of a CAN message is only 64 bits long is.

The disadvantage of this known method according to the DE 10 2012 210 327 A1 This is because the data field is used to transmit a signature and therefore this data field is not completely available for the transmission of messages.

Furthermore, the describes DE 10 2010 033 229 A1 a method for tamper-proof transmission of control data between control units of a network. In this method, on the transmitter side, integrity check information data for the control data sent by a first control unit is generated, a cryptographic checksum for the integrity check information data generated by the transmitter is calculated by means of a cryptographic key, the sender-generated integrity check information data and the calculated cryptographic checksum are sent to an integrity check verification unit which uses a cryptographic checksum Cryptographic key verified on the receiving side, the receiving side Integritätsprüfinformationsdaten for the received by a second control unit control data generated and the receiving side generated Integritätsprüfinformationsdaten compared with the received together with the verified cryptographic checksum received integrity check information data for detecting a manipulation of the transmitted control data. The integrity check information data generated on the transmitter side is formed by a hash value of a part of the control data contained in a control data packet or in a certain number of control data packets. The control data are transmitted unencrypted in this known method, either time-shifted to the integrity check information with associated cryptographic checksum or together with the same.

This known method according to the DE 10 2010 033 229 A1 is probably easy to implement and can be retrofitted in a communication system, however, their implementation requires a high level of hardware complexity, since an Integritätsprüferzeugungseinheit and the receiving side an integrity Verification unit are required to generate the Integritätsprüfinformationsdaten.

Finally, also from the DE 10 2008 046 563 A1 a method for the cryptographically protected transmission of data between network nodes of a network known. To prevent "replay attacks" with this known method, NONCE values are used. A NONCE value represents a one-time value or a value that can only be used once. The NONCE value is used to detect re-recorded messages (replay attacks). The encryption of the user data by a Transmitter node then takes place depending on a key and a NONCE value. In this known method, for transmitting the data in a message, the following steps are performed: forming a NONCE value from a count value which is updated upon the transmission of the message and a constant value which is shared with the network node of the network , and encrypting and decrypting the data transmitted in the message by means of a cryptographic key and the NONCE value formed.

The data protocol for transmitting payload data includes header data, which includes a sending node address, a receiving node address, and the current counting value of the sending network node. At the receiving end, the receiving network node compares the transmission network node's count value transmitted in the message with a count value of an internal counter of the receiving network node selected from the transmission node address and forms a NONCE value at the receiving end, from the common constant value and from the transmitted transmitting node address. if the transmitted count is more recent than the selected count, using the NONCE value formed at the receive end and a key stored in the receive network node to decrypt the data encrypted in the message.

This known method according to the DE 10 2008 046 563 A1 requires a high computational effort for its implementation, since not only the NONCE values must be calculated, but also the user data must be encrypted by means of a key.

The sake of completeness is still on the US 2002/0174332 A1 which uses the message authentication code (MAC) to check the integrity of data or messages transmitted between a sender and a receiver. A MAC algorithm requires two input parameters, firstly the messages to be protected and secondly a secret key. From both, the MAC algorithm calculates a check sum, the message authentication code. A sender calculates the MAC checksum by means of the key and the message to be transmitted and then sends the unencrypted message and the MAC checksum to a receiver. This calculates the MAC checksum from the received message with the key and compares the calculated MAC checksum with the received one. The message is only accepted if both values match.

With the method for checking the integrity of messages between a mobile station and a mobile network according to this US 2002/0174332 A1 It is possible to transmit the MAC checksum shortened if the length of the message to be transmitted and the unabridged MAC checksum is too long, ie longer than the data field of the data protocol.

The object of the invention is to provide a method for securing the data transmission in a data bus of a vehicle, which makes the data transmission in the data bus, in particular in a CAN bus more resistant to hacker attacks and can be implemented with little effort.

The object is achieved by a method having the features of patent claim 1.

• - wenigstens ein geheimes Datenwort in dem Sender und dem Empfänger bereitgestellt wird, und
• - die CRC-Prüfsumme aus den zu übertragenden Nutzdaten und dem geheimen Datenwort berechnet wird.

In this method for securing the data transmission in a data bus, via which data protocols are transmitted from at least one transmitter to at least one receiver, wherein the data protocols for the transmission of physical transferable user data and a CRC checksum contain a data field with a predetermined length, it is provided according to the invention, that

• at least one secret data word is provided in the sender and the receiver, and
• - The CRC checksum is calculated from the user data to be transmitted and the secret data word.

In this inventive method, the secret data word is used only to form together with the payload of the data field, a CRC checksum, which is transmitted including the payload data in the data field. Such a CRC checksum differs from that calculated without such a secret data word.

The term "payload data" which is physically transferable refers to useful data which are present as bit-serial data streams and which can be converted by a data bus, for example the CAN bus, as the transmission medium into the corresponding BUS signals.

According to an advantageous development of the method according to the invention, the secret data word is provided with a length that is greater than the length of the CRC check sum. If, for example, an 8-bit CRC is used, the length of the secret data word is longer than 8 bits, that is, for example, a multiple of 1 byte. The length of such a secret data word can then be, for example, 64 or 128 bits, etc.

The greater length of the secret data word compared with the CRC checksum causes the secret data word to be much more difficult to guess by a malicious attacker. With a length of the secret data word of, for example, 64 bits, the chance of guessing is 1: 2 ^ 64, ie 1: 18,446,744,073,709,551,616. In practice, guessing the secret data word is no longer feasible for a malicious attacker.

Since the same secret data word is available at the receiver, the CRC checksum can be calculated on the receiver side from the user data together with the secret data word and compared with the received CRC checksum. If the CRC checksums thus present do not match, the transmitted data protocol and thus also the received user data are discarded.

When using this method according to the invention, the security concepts and error responses to incorrect user data already defined and implemented in the data bus need not be changed. This is especially true if the data bus is designed as a CAN bus. Also, in such a CAN bus, the safety-relevant CAN data protocols do not have to be adapted if sufficient CRC checksums with sufficient gap are already used for a secret data word. Finally, the use of this method according to the invention at the level of the network realized with the data bus requires no additional hardware in order to protect this network against hacker attacks with this inventive method.

It is according to a further preferred embodiment of the invention also possible to store the secret data word by means of a cryptographic method in memory units of the transmitter and the receiver. For this purpose, hardened crypto memories can be used both for the transmitter and for the receiver. When using the secret data word secured crypto algorithms and crypto hardware, such as, for example, a hardware security module (Hardware Security Module) are used. Such a hardware security module is a component for the efficient and secure execution of cryptographic operations or applications, such as the generation of cryptographic keys, to ensure the trustworthiness and integrity of data. With such a hardware security module, it is therefore also possible to generate the secret data word according to the method according to the invention or to store this in order to protect it against unauthorized access.

According to a further preferred embodiment of the invention, the secret data word is exchanged for another predetermined data word after a predetermined number of sent data protocols. In particular, it is thus possible to make a change of the secret data word after each message sent, d. H. every secret data word is used only once.

For this purpose, a new secret data word is generated by means of the algorithm, or another data word stored in the hardened crypto memory is used as a new secret data word. Of course, this presupposes that several such secret data words are stored in the hardened crypto memory. The period of validity of a current secret data word is also known to the receiver, so that the transmitter-side change of the secret data word does not need to be communicated to the receiver.

The exchange of the secret data word hacker attacks, where the secret data word is calculated by listening in and analyzing the traffic on the CAN bus or in which the secret data word is guessed or tried.

An exchange of the secret data word can also be carried out according to a further embodiment of the method according to the invention if a cryptographically secured data protocol has been transmitted from the sender to the receiver or conversely from the receiver to the sender. In a cryptographically secured data protocol, the user data in the data field is not encrypted, but encrypted by means of a key before transmission to the recipient.

A further advantageous embodiment of the invention provides that after a predetermined sequence of incorrectly received by the receiver checksums the secret data word is exchanged and the sender is informed by the recipient of the exchange of the secret data word. So, for example, already after a single incorrectly transmitted data protocol the secret data word are exchanged. It is also possible, after a predetermined number of directly consecutive or not directly consecutive incorrectly transmitted data protocols to exchange the secret data word.

In addition, it is provided according to further development that after a predetermined sequence of checksums incorrectly received by the receiver, this receiver changes to an emergency mode in which no data protocols are accepted by the receiver. Thus, for example, the receiver can switch to emergency operation already after a single incorrectly transmitted data protocol. It is also possible that, after a predetermined number of directly successive or not directly consecutive incorrectly transmitted data protocols, the receiver switches to emergency mode.

To enable the exchange of secret data words, these are stored in storage units of the sender and the recipient. According to a further development, it is provided that the sequence of the secret data words provided for exchange is determined in advance.

The method according to the invention is particularly suitable for use with a CAN bus as a transmission medium between control units of a vehicle. It is also applicable in Flexray, CAN FD, LIN, MOST and Ethernet networks.

• 1 eine schematische Darstellung der erfindungsgemäßen Erzeugung einer CRC-Prüfsumme für die Übertragung eines CAN-Datentelegramms, und
• 2 ein Datenfeld eines Datenprotokolls gemäß AUTOSAR®-Spezifikationen.

The method according to the invention will now be described and explained with reference to exemplary embodiments of the method according to the invention with reference to the attached figures. Show it:

• 1 a schematic representation of the inventive generation of a CRC checksum for the transmission of a CAN data telegram, and
• 2 a data field of a data protocol according to AUTOSAR® specifications.

The data field according to 2 has already been described in the introduction to the description. Therefore, where appropriate, only in connection with the description of 1 referenced.

The CRC checksum, which is sent along with a CAN message or a CAN data protocol, serves as previously described for error detection. The CRC checksum is computed by interpreting the 0-1 string of the data field payload data to be transmitted as a binary polynomial and dividing it by a selected CRC polynomial (mod polynomial) mod (2), the remainder of the division being the CRC Checksum forms.

The length of the CRC checksum depends on the number of useful data bits of the user data to be protected and on the required transmission reliability, ie the Hamming distance. A large number of data bits to be backed up require a longer checksum for the same Hamming distance. As a rule, the length of the checksum depends on the maximum possible number of data bits to be protected.

The data field according to 2 contains in the data field section Data [0] an 8-bit CRC checksum, which can secure more bits than it corresponds to the length of the user data, that is, the number of bits of this user data. In a CAN data protocol is the data field 64 Bits long, minus the 8-bit CRC, a length of 56 bits remains for the user data to be transmitted, ie the CRC checksum secures a larger number of bits. The difference between the possible number of bits to be saved by the CRC checksum and the length of the payload is used to use a secret data word in the calculation of the CRC checksum.

(entnommen aus ‚Philip Koopman, Tridib Chakravarty, DSN-2004: Cyclic Redundancy Code (CRC) Polynomial Selection For Embedded Networks‘) verwendet, können 119 Bits Nutzdaten mit einer Hamming-Distanz HD=4 abgesichert werden.For example, if the 8-bit CRC polynomial '0x97: $$\left(\text{x}+1\right)*\left({\text{x}}^{\wedge }7+{\text{x}}^{\wedge }6+{\text{x}}^{\wedge }5+{\text{x}}^{\wedge }2+1\right)$$

(taken from, Philip Koopman, Tridib Chakravarty, DSN 2004 : Using Cyclic Redundancy Code (CRC) Polynomial Selection For Embedded Networks'), 119 bits of payload data with a Hamming distance of HD = 4 can be secured.

Thus, the difference between the number of bits that can be protected by this CRC polynomial '0x97 ( 119 Bits) and the length of the user data to be protected in the CAN data protocol ( 56 Bits): 119-56 = 63 bits. Consequently, stand for the secret data word 63 Bits are available and therefore, in the present example, it can consist of a maximum of 63 bits. If other CRC polynomials or other Hamming distances are selected for the CRC checksum, the secret data word may also be shorter or longer.

To determine the CRC checksum, the secret data word provided in accordance with the methods described above, which consists of a 0-1 sequence, is appended to the payload data and fed together as an input parameter to a CRC arithmetic unit, as described in US Pat 1 is shown schematically. Of course, this CRC checksum shows a different value than a CRC checksum calculated only from the payload of the data field.

This CRC checksum calculated in such a way from the user data and the secret data word becomes after in the data field section Data [0] after 2 registered and transmitted together with the user data of the data field of a trained as a controller transmitter of a CAN network to a trained as a controller receiver.

The secret data word is known only to the sender of the CAN data protocol and the receiver of this CAN message.

The checksum calculated with the above-described CRC polynomial '0x97 is 1 byte long and has a sufficiently high Hamming distance to secure security-relevant messages. The chance of generating a false message without knowledge of the secret data word accepted as a message by the receiver of the CAN data protocol is equal to 2 ^ (number of CRC bits), this corresponds to 2 ^ (-8) = 1/256 = 0.39%.

The secret data word provided in the transmitter as well as in the receiver of the CAN network is generated by means of a predetermined algorithm both in the transmitter and in the receiver. Thus, a new secret data word can be used for each data transmission by means of the CAN data protocol, whereby the security of the data transmission is improved, in particular hacker attacks are made more difficult.

It is also possible to provide a predetermined number of secret data words in each case in a memory unit of the transmitter and of the receiver of the CAN network, in order to thus possibly change the secret data word.

• - Verwendung von gehärteten Krypto-Speichern für das geheime Datenwort in den als Steuergeräte ausgebildeten Sendern und Empfängern des CAN-Netzwerks.
• - Verwendung von abgesicherten Krypto-Algorithmen und Krypto-Hardware, bspw. Hardware-Sicherheitsmodulen (Hardware Security Module) bei Verwendung des geheimen Datenwortes.
• - Einrichten von Schutzmaßnahmen vor Ausspähung des geheimen Datenwortes während des Entwicklungs-und Produktionsprozesses der als Sender und Empfänger eingesetzten Steuergeräte des CAN-Netzwerks.

In order to secure such a secret data word stored in the memory unit against spying, the following measures can be implemented:

• Use of hardened crypto memories for the secret data word in the transmitters and receivers of the CAN network designed as controllers.
• Use of secure crypto algorithms and crypto hardware, for example hardware security modules using the secret data word.
• - Establishment of protective measures against spying of the secret data word during the development and production process of the control units used as transmitter and receiver of the CAN network.

The secret data word may also be exchanged after a predetermined number of sent data protocols, for example after every message sent, i. every secret data word is used only once.

An exchange of the secret data word can also be made when a cryptographically secured data protocol has been transmitted from the sender to the receiver or vice versa from the receiver to the sender. In a cryptographically secured data protocol, the user data in the data field is not encrypted, but encrypted by means of a key before transmission to the recipient.

Furthermore, an exchange of the secret data word according to a predetermined sequence of incorrectly received by the receiver checksums feasible. In this case, the sender is informed by the receiver about the exchange of the secret data word. So, for example, can already after a single erroneously transmitted data protocol the secret data word are exchanged. It is also possible, after a predetermined number of directly consecutive or not directly consecutive incorrectly transmitted data protocols to exchange the secret data word.

In addition, the CAN network can be set up so that after a predetermined sequence of CRC checksums erroneously received by the receiver, this receiver transitions to an emergency mode in which no data protocols are accepted by the receiver. Thus, for example, the receiver can switch to emergency operation already after a single incorrectly transmitted data protocol. It is also possible that, after a predetermined number of directly successive or not directly consecutive incorrectly transmitted data protocols, the receiver switches to emergency mode.

The sequence of the secret data words to be used can already be determined beforehand by software in the sender and the receiver. It is also possible that the sequence of the secret data words provided for exchange is calculated from the content of the transmitted data words of the data field.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 102012210327 A1 [0010, 0011, 0012, 0013, 0014]
• DE 102010033229 A1 [0015, 0016]
• DE 102008046563 A1 [0017, 0019]
• US 2002/0174332 A1 [0020, 0021]

Claims (10)

Method for securing the data transmission in a data bus, are transmitted over the data protocols of at least one transmitter to at least one receiver, wherein the data protocols for the transmission of physically transferable user data and a CRC checksum contain a data field with a predetermined length, characterized in that - at least a secret data word is provided in the transmitter and the receiver, and - the CRC checksum is calculated from the payload data to be transmitted and the secret data word. Method according to Claim 1 in which the secret data word is provided with a length greater than the length of the CRC checksum. Method according to Claim 1 or 2 in which the at least one secret data word is stored in memory units of the sender and the receiver by means of a cryptographic method. Method according to one of the preceding claims, in which the secret data word is exchanged for another secret data word after a predetermined number of transmitted data protocols. Method according to one of the preceding claims, wherein after a transmission of a cryptographically secure data protocol from the sender to the receiver, the secret data word is exchanged. Method according to one of the preceding claims, wherein after a transmission of a cryptographically secure data protocol from the receiver to the transmitter, the secret data word is exchanged. Method according to one of the preceding claims, in which, after a predetermined sequence of checksums erroneously received by the receiver, the secret data word is exchanged and the transmitter is notified by the receiver of the exchange of the secret data word. Method according to one of the preceding claims, in which, after a predetermined sequence of checksums erroneously received by the receiver, this receiver transitions into an emergency operation in which no data protocols are accepted by the receiver. Method according to one of the preceding claims, in which the sequence of secret data words provided for exchange is predetermined and stored in the sender and the receiver. Method according to one of the preceding claims, in which the data bus is realized as a CAN bus.

Images