Message Authentication (AUTOSAR SecOC)

Message Authentication (AUTOSAR SecOC)#

AutoSAR (Automotive Open System Architecture) SecOC (Security On-board Communication) is a security architecture that aims to protect the communication between the various electronic control units (ECUs) within a vehicle against cyber-attacks.

  • SecOC is an AUTOSAR module

  • Provides integrity and authentication for messages (PDUs)

  • Freshness protects against replay attacks

  • Generic specification which can operate with asymmetric or symmetric cryptography

  • Key distribution is not specified

  • Every PDU has a unique identifier (SecOCDataID). On CAN networks, the CAN identifier is used.

../../_images/autosar1.png

Fig. 33 Overview SecOC. Author: AUTOSAR#

Figure from [AUT20].

Generation#

  • Secured I-PDU contains freshness value and the MAC

  • Freshness value is incremented on every transmit

  • MAC generation input is the SecOCDataID, the PDU, and the freshness value.

  • In symmetric mode, MAC bits can be chopped off. The security level decreases linearly with the MAC size.

../../_images/autosar1.png

Fig. 34 SecOC generation. Author: AUTOSAR#

Figure from [AUT20].

Truncation#

../../_images/autosar2.png

Fig. 35 Secured I-PDU contents with truncated Freshness Counter and truncated Authenticator. Author: AUTOSAR#

Figure from [AUT20].

Verification#

../../_images/autosar1.png

Fig. 36 SecOC verification. Author: AUTOSAR#

Figure from [AUT20].

  • Only LSBs of the freshness value are transmitted

  • Compute full freshness value for internal purposes.

    • Overwrite LSBs of last received value

    • If received LSBs smaller than the last LSBs, increment MSBs

  • Calculate MAC from PDU, full freshness count

  • If calculated and transmitted MACs match, accept PDU otherwise reject.

Profiles#

  • SecOC Profile 1 (or 24Bit-CMAC-8Bit-FV)

    • Algorithm: CMAC/AES-128

    • truncated freshness value: 8 bits

    • truncated MAC: 24 bits

  • SecOC Profile 2 (or 24Bit-CMAC-No-FV)

    • Algorithm: CMAC/AES-128

    • truncated freshness value: 0 bits

    • truncated MAC: 24 bits

    • Don’t use freshness values at all

  • SecOC Profile 3 (or JASPAR)

    • Algorithm: CMAC/AES-128

    • length of freshness value: 64 bits

    • truncated freshness value: 4 bits

    • truncated MAC: 28 bits

Freshness Value#

../../_images/autosar3.png

Fig. 37 Structure of FreshnessValue. Author: AUTOSAR#

Figure from [AUT20].

Sync Message#

../../_images/autosar4.png

Fig. 38 Format of the synchronization message (TripResetSyncMsg). Author: AUTOSAR#

Figure from [AUT20].

On every increment of the reset counter, a sync message is sent.

Key Management#

Some potential solutions:

  • One global key

    • ECUs can be swapped easily.

    • If keys are leaked, attackers can attack all systems

  • One key per vehicle

    • Keys need to be loaded on an ECU, if components are swapped.

    • If the attacker gains code execution, any message can be sent.

    • Protects bus from third-party devices

  • One key per message

    • Ideal if the asymmetric mode is used, but usually not practical

    • In symmetric mode: A hacked ECU can send malicious frames of all messages it receives and sends in normal operation.

    • Requires a lot of keys

Takeaway:

  • SecOC doesn’t protect against RCE in most cases