CN110545257A - Automobile CAN bus encryption method - Google Patents

Automobile CAN bus encryption method Download PDF

Info

Publication number
CN110545257A
CN110545257A CN201910659548.XA CN201910659548A CN110545257A CN 110545257 A CN110545257 A CN 110545257A CN 201910659548 A CN201910659548 A CN 201910659548A CN 110545257 A CN110545257 A CN 110545257A
Authority
CN
China
Prior art keywords
data
data block
ciphertext
bits
block
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910659548.XA
Other languages
Chinese (zh)
Other versions
CN110545257B (en
Inventor
杨世春
李强伟
崔海港
曹耀光
闫啸宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING HANGSHENG NEW ENERGY TECHNOLOGY Co Ltd
Original Assignee
BEIJING HANGSHENG NEW ENERGY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING HANGSHENG NEW ENERGY TECHNOLOGY Co Ltd filed Critical BEIJING HANGSHENG NEW ENERGY TECHNOLOGY Co Ltd
Priority to CN201910659548.XA priority Critical patent/CN110545257B/en
Publication of CN110545257A publication Critical patent/CN110545257A/en
Application granted granted Critical
Publication of CN110545257B publication Critical patent/CN110545257B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to an automobile CAN bus encryption method, firstly, a transmitting node recombines data to be transmitted in a CAN bus network into a plurality of data blocks according to the requirement of AES encryption algorithm block byte length, a check mechanism is added to each data block, a check bit is added to the last bit of a tail end data block, random data is used for complementing the tail end data block, the AES encryption algorithm is used for encrypting each data block to obtain each ciphertext data block, the transmitting node performs data segmentation on each ciphertext data block and sets a time identifier and a sequence identifier and then transmits the ciphertext data block to a receiving node through a CAN network, the receiving node receives each ciphertext data block and detects the integrity of the ciphertext data block, the receiving node abandons the receiving or finishes the receiving according to the detection result, extracts, splices and decrypts the ciphertext data according to the preset time identifier and the sequence identifier, and combines the check mechanism to check to confirm the validity of data transmission after decryption, the data transmission efficiency is improved, and the safety of data information transmission on the automobile is ensured.

Description

Automobile CAN bus encryption method
Technical Field
The invention relates to the technical field of data transmission of an internal local area network of an automobile, in particular to an automobile CAN bus encryption method.
Background
in the field of modern automotive applications, a controller local area network (controlleranenetwork) is a multi-host local area network mainly proposed by BOSCH corporation, and has been widely applied to a plurality of fields such as industrial automation, various control devices, vehicles, medical instruments, buildings, environmental control and the like due to the advantages of high performance, high reliability, real-time performance and the like. With the rapid development of electric and hybrid vehicles, a new Electronic Control Unit (ECU) such as a battery management system is introduced into the vehicle interior, and control communication of the entire vehicle is achieved using a CAN network. However, as more and more vehicles are connected to the internet, the originally closed and unprotected local network in the vehicle is suddenly exposed to a large internet environment, and certainly, the CAN network is no exception, so that the safety requirement of information data transmission of modern automobiles becomes higher and higher.
The current common encryption methods are divided into block encryption and stream encryption, wherein an AES encryption algorithm in the stream encryption is widely applied, but the block length of the AES encryption algorithm is fixed to be equal to 128 bits in length, and the maximum data length of CAN message data is 64 bits in general, so that the AES encryption algorithm cannot be directly applied to CAN message encryption. In addition, if a group of CAN messages are packed and encrypted, the messages encrypted by synonyms must be decrypted to obtain correct results, and the sending order of the CAN messages is difficult to guarantee due to the existence of a priority mechanism during sending, data loss is easily caused by the influence of environmental factors such as electromagnetic interference, and finally real-time performance of CAN communication (data transmission) is influenced due to the encryption of the CAN messages, so that the invention of the CAN data encryption method which CAN realize data encryption, guarantee transmission safety, guarantee data sending order and avoid the influence of the environmental factors is urgently needed.
disclosure of Invention
The invention provides an automobile CAN bus encryption method aiming at the defects that the traditional automobile CAN network data transmission safety is poor, the efficiency is low, the sending sequence cannot be ensured, the traditional automobile CAN bus encryption method is easily influenced by environmental factors and the like, skillfully introduces an AES encryption and decryption algorithm, enables the AES encryption and decryption algorithm and the automobile CAN network data communication to be perfectly combined through a series of settings, effectively ensures the safety of data information transmission on an automobile, and greatly improves the immunity of an automobile CAN network system to external faults or attacks.
The technical scheme of the invention is as follows: (in accordance with the claims)
An encryption method for CAN bus of automobile includes such steps as recombining the data to be transmitted in CAN bus network into several data blocks by transmitting node according to the byte length requirement of AES encryption algorithm block, adding a check mechanism to each data block, adding a check bit to the last bit of the data block at the tail end, complementing the data block at the tail end by using random data, encrypting each data block by using an AES encryption algorithm to obtain each ciphertext data block, transmitting each ciphertext data block to a receiving node through a CAN (controller area network) after a transmitting node performs data segmentation and sets a time identifier and a sequence identifier, receiving each ciphertext data block by the receiving node and detecting the integrity of the ciphertext data block, and then, according to the detection result, the receiving is abandoned or the receiving is finished, the data is extracted according to the preset time identifier and the sequence identifier, then splicing and decryption are carried out, and verification is carried out by combining a verification mechanism after decryption so as to confirm the validity of data transmission.
the automobile CAN bus encryption method specifically comprises the following steps:
The method comprises the following steps: the method comprises the steps that a sending node recombines data to be sent in a CAN bus network into a plurality of data blocks according to the block byte length requirement of an AES encryption algorithm, the bit number of each front-end data block is distributed to be 128 bits until the bit number of a tail-end data block is less than 128 bits, a check mechanism is used for summing the data on each front-end data block and each bit of the tail-end data block to obtain check sum data, the check sum data is placed next to the last bit of the tail-end data block and the number of the recorded bits is N, and the tail-end data block is supplemented to be 128 bits by random data;
step two: encrypting the data to be sent of each front-end data block and the tail-end data block by using an AES encryption algorithm to respectively obtain corresponding ciphertext data blocks;
Step three: sequentially carrying out data segmentation on each ciphertext data block according to the CAN bus transmission byte requirement to obtain a plurality of ciphertext data packets with 64 bits of bytes, constructing matched ciphertext data packet IDs for each ciphertext data packet according to an ID coding rule, and selecting a plurality of bits from the expansion frame IDs to respectively set time identifications and sequence identifications for each ciphertext data packet;
step four: sending a plurality of ciphertext data packets with time identifications and sequence identifications to a receiving node through a CAN network according to a CAN communication protocol;
Step five: when the receiving node receives a plurality of ciphertext data packets, firstly detecting whether the number of the ciphertext data packets marked at the current time is complete and judging whether each ciphertext data packet is complete or not, when the detection result is incomplete or not, the receiving node continues to wait, when the waiting time exceeds a waiting time threshold value or the data packet marked at the next time is received, the receiving node abandons the receiving, and when the detection result is complete and complete, the receiving node continues to execute the step six;
Step six: the receiving node extracts and splices all the ciphertext data packets identified at the same time according to the sequence identification, and performs AES decryption on all the ciphertext data packets by using a key of an AES decryption algorithm to respectively obtain all the plaintext data packets;
step seven: and combining the verification mechanism in the first step, and verifying the receiving node after decryption by combining the verification mechanism so as to confirm the validity of data transmission.
preferably, the seventh step is to combine the check mechanism in the first step, the receiving node sums all data on the first N-1 bits of each plaintext data block by using the check mechanism, and compares the summed data with the check data on the nth bit, if the comparison results are the same, the check is successful, and the current CAN network communication is completed; if the comparison result is different, the verification fails, the current plaintext data block is regarded as garbage data, the count of the communication error counter is increased by 1, if the communication error counter continuously appears and exceeds the count threshold value or the frequency exceeds the frequency threshold value, the system is determined to be in fault or under attack at the moment, and the data sending and receiving operation is stopped.
Preferably, the time period for the sending node to send data to the receiving node is 100 ms.
preferably, the ciphertext data packet ID in step three is 29-bit extension frame ID, 5-bit setting time identifier is selected from 29 bits of extension frame ID, and then 9-bit setting order identifier is selected.
preferably, when the time identifier is set in step three, the ciphertext data packets at the same time adopt the same time identifier, and the ciphertext data packets at different times adopt different time identifiers according to time sequence.
Preferably, the latency threshold in step five is 100 ms.
preferably, the counting threshold in the seventh step is set to be 5 times that the communication error counter continuously appears for 10 minutes and exceeds the counting threshold.
the invention has the following technical effects:
The invention relates to an automobile CAN bus encryption method, firstly, a transmitting node recombines data to be transmitted in a CAN bus network into a plurality of data blocks according to the requirement of AES encryption algorithm block byte length, a check mechanism is added to each data block, a check bit is added to the last bit of a tail end data block, the tail end data block is complemented by random data, each data block is encrypted by AES encryption algorithm to obtain each ciphertext data block, the transmitting node performs data segmentation and sets time identification and sequence identification on each ciphertext data block and then transmits the ciphertext data block to a receiving node through the CAN network, the receiving node receives each encrypted data block and detects the integrity of the encrypted data block, then abandons the receiving or finishes the receiving according to the detection result, performs splicing and decryption after extracting according to preset time identification and sequence identification, and performs verification by combining the check mechanism after decryption to confirm the validity of data transmission, the invention forms a CAN message encryption method with time identification, according to the block length fixed by an AES encryption algorithm, the CAN messages needing to be encrypted and sent are integrated to combine or supplement the CAN messages with different lengths, so that the CAN messages meet the requirements of the AES encryption on the message length. The method skillfully introduces the AES encryption and decryption algorithm and perfectly combines the AES encryption and decryption algorithm with the data communication of the automobile CAN network through a series of settings, effectively ensures the safety of data information transmission on the automobile, particularly introduces the AES encryption mechanism to carry out data encryption protection on the automobile CAN network communication, data is transmitted in a form of ciphertext during the originally open CAN network communication, and is decrypted after the receiving node receives the data, thereby greatly improving the immunity of the automobile CAN network system to external faults or attacks, effectively improving the data transmission efficiency and quality, using the data verification technology in the ciphertext CAN enable the automobile CAN network system to have certain self-diagnosis capability to the external attacks, carrying out self-protection when necessary, adding time identification and sequence identification, and solving the problems of time asynchronization and data loss possibly caused by data transmission after data recombination, the data arriving at the receiving node can be guaranteed to be effective and completely available; when the identification is added, the identification is added into the ID instead of the message, so that the total length of data to be transmitted is shortened, the data transmission efficiency is improved, and the communication load on the bus can be reduced.
drawings
FIG. 1: the invention relates to a first preferred flow chart of an automobile CAN bus encryption method.
FIG. 2: the invention relates to a second preferred flow chart of the automobile CAN bus encryption method.
Detailed Description
The present invention will be further described in detail with reference to the accompanying drawings.
the invention relates to a car CAN bus encryption method, as shown in a first preferred flow chart shown in figure 1, the method comprises the steps that a sending node firstly recombines data to be sent in a CAN bus network into a plurality of data blocks according to the byte length requirement of an AES encryption algorithm block, a check mechanism is added to each data block, a check bit is added to the last bit of a tail end data block, random data is used for complementing the tail end data block, the AES encryption algorithm is used for encrypting each data block to obtain each ciphertext data block, the sending node performs data segmentation and time identification and sequence identification on each ciphertext data block, then sends the ciphertext data block to a receiving node through the CAN network, the receiving node receives each ciphertext data block and detects the integrity of the ciphertext data block, and then abandons the receiving or receiving according to the detection result, extracts according to the preset time identification and sequence identification, splices and decrypts the ciphertext data block, the method integrates the CAN messages to be encrypted and sent according to the block length fixed by an AES encryption algorithm to combine or extend the CAN messages with different lengths so as to meet the requirement of the AES encrypted message length, skillfully introduces the AES encryption and decryption algorithm and perfectly combines the AES encryption and decryption algorithm with the automobile CAN network data communication through a series of settings, effectively ensures the safety of data information transmission on an automobile, particularly introduces the AES encryption mechanism to encrypt and protect the data of the automobile CAN network communication, the data is transmitted in a form of ciphertext during the originally open CAN network communication, and is decrypted after the receiving node receives the data, thereby greatly improving the immunity of the automobile CAN network system to external faults or attacks, the attack cost of an attacker is greatly improved, and the data transmission efficiency and quality in CAN network communication are effectively improved; the data verification technology is used in the ciphertext, so that the automobile CAN network system has certain self-diagnosis capability on external attack and CAN perform self-protection when necessary; the data to be sent is preprocessed, the data is integrated by adopting a fixed length requirement, and a plurality of groups of data are preprocessed and then sent, so that the times of encryption and decryption are reduced, and the time consumed by operation is further saved; the addition of the time identifier and the sequence identifier solves the problems of time asynchronism and data loss possibly caused by sending the data after the data are recombined, and can ensure that the data reaching the receiving node is effective and completely usable; when the identification is added, the identification is added into the ID instead of the message, so that the total length of data to be transmitted is shortened, the data transmission efficiency is improved, and the communication load on the bus can be reduced.
as shown in a second preferred flowchart of fig. 2, the above method for encrypting the CAN bus of the vehicle preferably includes the following steps:
The method comprises the following steps: the sending node recombines the data to be sent (also called CAN message) in the CAN bus network into a plurality of data blocks according to the AES encryption algorithm block byte length requirement, the bit number of each front-end data block is distributed to 128 bits until the bit number of the end data block is less than 128 bits, further comprehends that the CAN message to be encrypted and sent is integrated according to the fixed block length of the AES encryption algorithm to combine or lengthen the CAN messages with different lengths so as to meet the message length requirement of the AES encryption algorithm, then a check mechanism is utilized to sum up the data on each bit of each front-end data block and each end data block to obtain check sum data, the check sum data is placed next to the last bit of the end data block and the number of bits is N, the end data block is complemented to 128 bits by utilizing random data, the step recombines the data to be sent, data are integrated by adopting a fixed length requirement, and a plurality of groups of data are processed and then sent, so that the times of encryption and decryption are reduced, the time consumed by operation is further saved, and the communication efficiency is improved;
step two: encrypting the data to be sent of each front-end data block and the tail-end data block by using an AES encryption algorithm to respectively obtain corresponding ciphertext data blocks;
Step three: sequentially dividing each ciphertext data block according to the CAN bus transmission byte requirement to obtain a plurality of ciphertext data packets with 64 bits of bytes, constructing matched ciphertext data packet IDs for each ciphertext data packet according to an ID coding rule, selecting a plurality of bits from the expansion frame IDs to respectively set a time identifier and an order identifier for each ciphertext data packet, adopting the expansion frame IDs for CAN communication, using a part of the 29-bit expansion frame IDs as the time identifier and the order identifier, the sequence mark CAN ensure the data integrity, the time mark is used as the time consistency confirmation basis, namely, CAN message encrypted data with the time mark and the sequence mark is formed, the ID is added with the identification instead of the CAN message, so that the total length of data to be transmitted is shortened, the data transmission efficiency is improved, and the communication load on a CAN bus CAN be reduced;
step four: sending a plurality of ciphertext data packets with time marks and sequence marks to a receiving node through a CAN network according to a CAN communication protocol, preprocessing a CAN message sent to a target receiving node by a sending node, namely, combining, partitioning and complementing the CAN message to be sent, and then sending the CAN message to the receiving node according to the CAN communication protocol;
Step five: when the receiving node receives a plurality of ciphertext data packets, firstly detecting whether the number of the ciphertext data packets marked at the current time is complete and judging whether each ciphertext data packet is complete or not, when the detection result is incomplete or not, the receiving node continues to wait, when the waiting time exceeds a waiting time threshold value or the data packet marked at the next time is received, the receiving node abandons the receiving, and when the detection result is complete and complete, the receiving node continues to execute the step six;
step six: the receiving node extracts and splices all ciphertext data packets identified at the same time according to sequence identification, AES decryption is carried out on all ciphertext data packets by using a key of an AES decryption algorithm to respectively obtain all plaintext data packets, after the receiving node receives related CAN messages, the messages are sequenced according to the sequence identification, and the CAN messages (identified at the same time) in the same time period are collected and then decrypted, so that decryption CAN be carried out generally when the length of a block is generally met, especially when a sending node sends large batches of CAN message data, a plurality of blocked ciphertext data packets need to be marked with the same time identification label before sending, and after the receiving node receives the batch of data, the data packets need to be integrated and then processed into data packets, such as decryption, splicing and the like;
step seven: and combining the verification mechanism in the first step, and verifying the receiving node after decryption by combining the verification mechanism so as to confirm the validity of data transmission.
Preferably, the seventh step is to combine the check mechanism in the first step, the receiving node sums all data on the first N-1 bits of each plaintext data block by using the check mechanism, and compares the summed data with the check data on the nth bit, if the comparison results are the same, the check is successful, and the current CAN network communication is completed; if the comparison result is different, the verification is failed, the current plaintext data block is regarded as garbage data, the count of a communication error counter is added by 1, if the communication error counter continuously exceeds a count threshold value or the frequency exceeds a frequency threshold value, the system is determined to be in fault or under attack at the moment, the data sending and receiving operation is stopped, namely if the communication error counter continuously appears and exceeds a certain frequency, the CAN system is determined to be in external attack or in controller fault at the moment, the CAN system enters a protection mode to operate under manual operation or automatic operation, and a data verification technology is used in a ciphertext, so that the automobile CAN network system has certain self-diagnosis capability on external attack, and CAN perform self-protection when necessary.
Preferably, the time period for the sending node to send data to the receiving node is 100 ms.
Preferably, the ciphertext data packet ID in step three is 29-bit extension frame ID, 5-bit setting time identifier is selected from 29 bits of extension frame ID, and then 9-bit setting order identifier is selected.
Preferably, when the time identifier is set in step three, the ciphertext data packets at the same time adopt the same time identifier, and the ciphertext data packets at different times adopt different time identifiers according to time sequence.
Preferably, the latency threshold in step five is 100 ms.
Preferably, the counting threshold in the seventh step is set to be 5 times that the communication error counter continuously appears for 10 minutes and exceeds the counting threshold.
For example, the following steps are carried out:
A VCU (transmitting node) sends 8 data packets to a BMS (receiving node) in a period of 100ms, that is, data to be sent is 8 data packets, and the lengths of the 8 data packets are respectively: 32bit, 40bit, 64bit, 48bit, 36bit, 50bit, 45bit, 20bit, total 335bit data.
The method comprises the following steps: the VCU (transmitting node) recombines 335 bits of data of 8 data packets according to the byte length requirement of the AES encryption algorithm block, generally the byte length requirement of the AES encryption algorithm block is 128 bits, therefore the data recombined according to the principle that the bit number of each front end data block is allocated to 128 bits until the bit number of the end data block is less than 128 bits becomes three data blocks of 128 bits, 128 bits and 79 bits, the checksum data is obtained by summing the data on each bit of the 335 bits of three data blocks by using a checksum mechanism preferably using a checksum mechanism, the checksum data is spliced on the 80 th bit, namely N80, of the third data block (at this time, the last bit of the third data block is N bits, the operation can be performed according to a predetermined organization, at this time, the total length of the three data blocks is 336, and the data is complemented to 128 bits by using a random number, the total length of the three data blocks is 384 bits;
Step two: encrypting the data to be sent of each front-end data block and each tail-end data block by using an AES encryption algorithm to respectively obtain corresponding ciphertext data blocks, namely performing AES128 encryption on all the data to be sent with the total length of 384 bits in sequence by using the AES encryption algorithm, changing the plaintext into ciphertext and obtaining three ciphertext data blocks;
step three: sequentially dividing each ciphertext data block according to the CAN bus transmission byte requirement to obtain a plurality of ciphertext data packets with 64 bits of bytes, obtaining 6 ciphertext data packets in total, constructing each ciphertext data packet ID according to an ID coding rule, selecting a plurality of bits from 29-bit expansion frame IDs of the ciphertext data packets to respectively set a time identifier and a sequence identifier for each ciphertext data packet, sequentially adding the sequence identifiers to the 6 ciphertext data packets by using the same time identifier for the ciphertext data packets at the same moment, sequentially adopting different time identifiers for the ciphertext data packets at different moments, setting the time identifiers to be 5 bits, adopting a cycle counting mechanism, sequentially adding the sequence identifiers to the 6 ciphertext data packets by a VCU (transmitting node), inserting the identifiers into the expansion frame IDs, and keeping the original identification function of the residual bits of the expansion frame IDs (the residual bits of the expansion frame IDs CAN be specifically set according to an insertion position specific application scene, such as the foremost 9 bits of the IDs and the like, therefore, the total length of data to be transmitted is shortened, and the data transmission efficiency is improved;
Step four: transmitting the 6 well organized ciphertext data packets to a BMS (receiving node) through a CAN network according to a CAN communication protocol;
Step five: after receiving the ciphertext data packet, the BMS (receiving node) first determines whether the ciphertext data packet is completely received or not, waits if not, abandons the receiving if the waiting time is too long, for example, more than 100ms or the ciphertext data packet identified by the next time is received, and enters the next step if the 6 data packets identified by the same time are successfully received, that is, the receiving is complete and complete;
step six: the data of the ciphertext data packets received by the BMS (receiving node) are ciphertext and cannot be directly read, so that the receiving node needs to extract and splice 6 ciphertext data packets marked at the same time according to sequence marks, and then carry out AES decryption on each ciphertext data packet by using a key of an AES decryption algorithm to respectively obtain each plaintext data packet;
step seven: combining the checking mechanism in the first step, the BMS (receiving node) sums the first N-1 bits of all data of the decrypted plaintext data packet, namely the first 335 bits, then compares the summation result with the 336 th bit of the data, if the comparison result is the same, the checking is successful, and the CAN network communication is completed; if the comparison result is different, the verification fails, the data received this time is directly abandoned as garbage data, the count of the communication error counter is increased by 1, if the error counter continuously exceeds the count threshold value or the frequency exceeds the frequency threshold value (both the count threshold value and the frequency threshold value CAN be preset according to specific application conditions), the system CAN be determined to be in fault or attacked at the time, such as fault of a VCU controller or CAN communication fault, and the like, then the BMS (receiving node) broadcasts the found safety problem to the automobile CAN system, and the CAN system enters a protection mode to run under manual operation or automatic operation, so that the automobile CAN network system has certain self-diagnosis capability to external attack and CAN perform self-protection when necessary, and the overall safety is improved.
It should be noted that the above-mentioned embodiments enable a person skilled in the art to more fully understand the invention, without restricting it in any way. Therefore, although the present invention has been described in detail with reference to the drawings and examples, it will be understood by those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention.

Claims (8)

1. a CAN bus encryption method for automobile is characterized in that firstly, a transmitting node recombines data to be transmitted in a CAN bus network into a plurality of data blocks according to the block byte length requirement of an AES encryption algorithm, adding a check mechanism to each data block, adding a check bit to the last bit of the data block at the tail end, complementing the data block at the tail end by using random data, encrypting each data block by using an AES encryption algorithm to obtain each ciphertext data block, transmitting each ciphertext data block to a receiving node through a CAN (controller area network) after a transmitting node performs data segmentation and sets a time identifier and a sequence identifier, receiving each ciphertext data block by the receiving node and detecting the integrity of the ciphertext data block, and then, according to the detection result, the receiving is abandoned or the receiving is finished, the data is extracted according to the preset time identifier and the sequence identifier, then splicing and decryption are carried out, and verification is carried out by combining a verification mechanism after decryption so as to confirm the validity of data transmission.
2. the automobile CAN bus encryption method according to claim 1, specifically comprising the steps of:
The method comprises the following steps: the method comprises the steps that a sending node recombines data to be sent in a CAN bus network into a plurality of data blocks according to the block byte length requirement of an AES encryption algorithm, the bit number of each front-end data block is distributed to be 128 bits until the bit number of a tail-end data block is less than 128 bits, a check mechanism is used for summing the data on each front-end data block and each bit of the tail-end data block to obtain check sum data, the check sum data is placed next to the last bit of the tail-end data block and the number of the recorded bits is N, and the tail-end data block is supplemented to be 128 bits by random data;
Step two: encrypting the data to be sent of each front-end data block and the tail-end data block by using an AES encryption algorithm to respectively obtain corresponding ciphertext data blocks;
Step three: sequentially carrying out data segmentation on each ciphertext data block according to the CAN bus transmission byte requirement to obtain a plurality of ciphertext data packets with 64 bits of bytes, constructing matched ciphertext data packet IDs for each ciphertext data packet according to an ID coding rule, and selecting a plurality of bits from the expansion frame IDs to respectively set time identifications and sequence identifications for each ciphertext data packet;
Step four: sending a plurality of ciphertext data packets with time identifications and sequence identifications to a receiving node through a CAN network according to a CAN communication protocol;
Step five: when the receiving node receives a plurality of ciphertext data packets, firstly detecting whether the number of the ciphertext data packets marked at the current time is complete and judging whether each ciphertext data packet is complete or not, when the detection result is incomplete or not, the receiving node continues to wait, when the waiting time exceeds a waiting time threshold value or the data packet marked at the next time is received, the receiving node abandons the receiving, and when the detection result is complete and complete, the receiving node continues to execute the step six;
step six: the receiving node extracts and splices all the ciphertext data packets identified at the same time according to the sequence identification, and performs AES decryption on all the ciphertext data packets by using a key of an AES decryption algorithm to respectively obtain all the plaintext data packets;
step seven: and combining the verification mechanism in the first step, and verifying the receiving node after decryption by combining the verification mechanism so as to confirm the validity of data transmission.
3. The encryption method for the CAN bus of the automobile according to claim 2, wherein the seventh step is to combine the check mechanism in the first step, the receiving node uses the check mechanism to sum all the data on the first N-1 bits of each plaintext data block, and compares the summed data with the check data on the Nth bit, if the comparison result is the same, the check is successful, and the CAN network communication is completed this time; if the comparison result is different, the verification fails, the current plaintext data block is regarded as garbage data, the count of the communication error counter is increased by 1, if the communication error counter continuously appears and exceeds the count threshold value or the frequency exceeds the frequency threshold value, the system is determined to be in fault or under attack at the moment, and the data sending and receiving operation is stopped.
4. the encryption method for the CAN bus of the vehicle according to claim 2 or 3, wherein the time period for the transmitting node to transmit data to the receiving node is 100 ms.
5. The encryption method for CAN bus of vehicle as claimed in claim 2 or 3, wherein the ciphertext data packet ID in step three is 29 bits of extension frame ID, 5 bits of setting time identification are selected from 29 bits of extension frame ID, and 9 bits of setting order identification are selected.
6. The encryption method for the CAN bus of the automobile according to claim 5, wherein when the time identifier is set in the third step, the ciphertext data packets at the same time adopt the same time identifier, and the ciphertext data packets at different times adopt different time identifiers according to time sequence.
7. the method of claim 2 or 3 wherein the latency threshold in step five is 100 ms.
8. The method of claim 3 wherein the count threshold in step seven is set such that the communication error counter occurs more than 5 times in 10 consecutive minutes.
CN201910659548.XA 2019-07-22 2019-07-22 Automobile CAN bus encryption method Active CN110545257B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910659548.XA CN110545257B (en) 2019-07-22 2019-07-22 Automobile CAN bus encryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910659548.XA CN110545257B (en) 2019-07-22 2019-07-22 Automobile CAN bus encryption method

Publications (2)

Publication Number Publication Date
CN110545257A true CN110545257A (en) 2019-12-06
CN110545257B CN110545257B (en) 2022-02-25

Family

ID=68709695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910659548.XA Active CN110545257B (en) 2019-07-22 2019-07-22 Automobile CAN bus encryption method

Country Status (1)

Country Link
CN (1) CN110545257B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111538512A (en) * 2020-04-16 2020-08-14 山东正中信息技术股份有限公司 OTA (over the air) firmware upgrading method, device and equipment
CN112291125A (en) * 2020-10-16 2021-01-29 江苏徐工工程机械研究院有限公司 Multi-node automatic identification method and device for CAN bus
CN112464258A (en) * 2020-11-02 2021-03-09 中国银联股份有限公司 Data encryption and decryption method, device, equipment and storage medium
CN112640365A (en) * 2020-02-29 2021-04-09 华为技术有限公司 Controller area network CAN bus secure communication method and device
CN113055434A (en) * 2021-02-02 2021-06-29 浙江大华技术股份有限公司 Data transmission method, electronic equipment and computer storage medium
CN113285956A (en) * 2021-06-09 2021-08-20 中国第一汽车股份有限公司 Controller local area network bus encryption method, device, equipment and medium
CN113489588A (en) * 2021-06-30 2021-10-08 湖南三一智能控制设备有限公司 Data processing method and device for working machine and working machine
CN114448744A (en) * 2022-01-28 2022-05-06 航天科工火箭技术有限公司 CAN data analysis method, device, equipment and medium for multiplexing identification number
CN115378590A (en) * 2022-10-27 2022-11-22 国网浙江义乌市供电有限公司 Energy data safe storage method and system based on block chain
CN115499124A (en) * 2022-11-17 2022-12-20 达芬骑动力科技(北京)有限公司 Data transmission method and system and electric automobile

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101763291A (en) * 2009-12-30 2010-06-30 中国人民解放军国防科学技术大学 Method for detecting error of program control flow
CN102664719A (en) * 2012-05-03 2012-09-12 杭州电子科技大学 Distributed secure transmission method applied to distributed control system (DCS)
CN103166943A (en) * 2011-12-19 2013-06-19 北汽福田汽车股份有限公司 Method and system for encryption transmission electronic control unit (ECU) objective file
CN106357681A (en) * 2016-11-02 2017-01-25 合肥工业大学 Security access and secret communication method of vehicle-mounted remote diagnostic services
KR20170119467A (en) * 2016-04-19 2017-10-27 현대모비스 주식회사 Apparatus for in-vehicle communication and data encryption method thereof
CN108462970A (en) * 2017-02-21 2018-08-28 中国移动通信有限公司研究院 A kind of packet loss decision method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101763291A (en) * 2009-12-30 2010-06-30 中国人民解放军国防科学技术大学 Method for detecting error of program control flow
CN103166943A (en) * 2011-12-19 2013-06-19 北汽福田汽车股份有限公司 Method and system for encryption transmission electronic control unit (ECU) objective file
CN102664719A (en) * 2012-05-03 2012-09-12 杭州电子科技大学 Distributed secure transmission method applied to distributed control system (DCS)
KR20170119467A (en) * 2016-04-19 2017-10-27 현대모비스 주식회사 Apparatus for in-vehicle communication and data encryption method thereof
CN106357681A (en) * 2016-11-02 2017-01-25 合肥工业大学 Security access and secret communication method of vehicle-mounted remote diagnostic services
CN108462970A (en) * 2017-02-21 2018-08-28 中国移动通信有限公司研究院 A kind of packet loss decision method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
周立功: "《项目驱动 CAN-bus现场总线基础教程》", 30 July 2012 *
朱立民: "一种基于AES_CCM算法的安全车载CAN网络协议", 《汽车技术》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112640365A (en) * 2020-02-29 2021-04-09 华为技术有限公司 Controller area network CAN bus secure communication method and device
WO2021168859A1 (en) * 2020-02-29 2021-09-02 华为技术有限公司 Secure communication method for controller area network bus, and device
CN112640365B (en) * 2020-02-29 2022-04-08 华为技术有限公司 Controller area network CAN bus secure communication method and device
CN111538512A (en) * 2020-04-16 2020-08-14 山东正中信息技术股份有限公司 OTA (over the air) firmware upgrading method, device and equipment
CN112291125B (en) * 2020-10-16 2022-03-15 江苏徐工工程机械研究院有限公司 Multi-node automatic identification method and device for CAN bus
CN112291125A (en) * 2020-10-16 2021-01-29 江苏徐工工程机械研究院有限公司 Multi-node automatic identification method and device for CAN bus
CN112464258A (en) * 2020-11-02 2021-03-09 中国银联股份有限公司 Data encryption and decryption method, device, equipment and storage medium
CN112464258B (en) * 2020-11-02 2024-03-19 中国银联股份有限公司 Data encryption and decryption methods, devices, equipment and storage medium
CN113055434A (en) * 2021-02-02 2021-06-29 浙江大华技术股份有限公司 Data transmission method, electronic equipment and computer storage medium
CN113055434B (en) * 2021-02-02 2022-07-15 浙江大华技术股份有限公司 Data transmission method, electronic equipment and computer storage medium
CN113285956A (en) * 2021-06-09 2021-08-20 中国第一汽车股份有限公司 Controller local area network bus encryption method, device, equipment and medium
CN113489588A (en) * 2021-06-30 2021-10-08 湖南三一智能控制设备有限公司 Data processing method and device for working machine and working machine
CN114448744A (en) * 2022-01-28 2022-05-06 航天科工火箭技术有限公司 CAN data analysis method, device, equipment and medium for multiplexing identification number
CN114448744B (en) * 2022-01-28 2024-05-03 航天科工火箭技术有限公司 CAN data analysis method, device, equipment and medium for multiplexing identification numbers
CN115378590A (en) * 2022-10-27 2022-11-22 国网浙江义乌市供电有限公司 Energy data safe storage method and system based on block chain
CN115378590B (en) * 2022-10-27 2023-02-07 国网浙江义乌市供电有限公司 Energy data safe storage method and system based on block chain
CN115499124A (en) * 2022-11-17 2022-12-20 达芬骑动力科技(北京)有限公司 Data transmission method and system and electric automobile
CN115499124B (en) * 2022-11-17 2023-03-21 达芬骑动力科技(北京)有限公司 Data transmission method and system and electric automobile

Also Published As

Publication number Publication date
CN110545257B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN110545257B (en) Automobile CAN bus encryption method
EP3852313B1 (en) Network communication system, fraud detection electronic control unit and anti-fraud handling method
US10165442B2 (en) Transmission device, reception device, transmission method, and reception method
WO2017080182A1 (en) Data transmission and receiving method, transmitter, receiver, and can bus network
CN111147437B (en) Attributing bus disconnect attacks based on erroneous frames
CN111865922B (en) Communication method, device, equipment and storage medium
EP3772841B1 (en) A security module for a can node
CN116405302B (en) System and method for in-vehicle safety communication
CN113938304B (en) CAN bus-based data encryption transmission method
King Investigating and securing communications in the Controller Area Network (CAN)
KR20180049523A (en) Method and system for transceiving can message including mac
CN112347022A (en) Security module for CAN node
Kwon et al. Mitigation mechanism against in-vehicle network intrusion by reconfiguring ECU and disabling attack packet
CN115766242A (en) Environment-friendly management system based on safety isolation communication
CN101969404A (en) Method and equipment for processing messages
US11606366B2 (en) Using CRC for sender authentication in a serial network
Tashiro et al. A secure protocol consisting of two different security-level message authentications over CAN
US20230327907A1 (en) Relay device, communication network system, and communication control method
CN114545888A (en) End-to-end fault diagnosis method and device
Lee et al. Real Time Perfect Bit Modification Attack on In-Vehicle CAN
Kwon et al. Recovery measure against disabling reassembly attack to DNP3 communication
CN113412610A (en) Method and playback unit for playing back a protected message
CN112261056B (en) Communication control method and device for power system, control equipment and storage medium
CN115190578B (en) Information updating method and device in vehicle-mounted communication
Morris et al. Critical Message Integrity Over A Shared Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant