CN112600838A - CAN bus data encryption method and device, storage medium and electronic equipment - Google Patents

CAN bus data encryption method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN112600838A
CN112600838A CN202011461454.0A CN202011461454A CN112600838A CN 112600838 A CN112600838 A CN 112600838A CN 202011461454 A CN202011461454 A CN 202011461454A CN 112600838 A CN112600838 A CN 112600838A
Authority
CN
China
Prior art keywords
key
data
secret
algorithm
encrypting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011461454.0A
Other languages
Chinese (zh)
Other versions
CN112600838B (en
Inventor
乔文胜
王建
段树明
靳龙辉
赵磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guoqi Beijing Intelligent Network Association Automotive Research Institute Co ltd
Original Assignee
Guoqi Beijing Intelligent Network Association Automotive Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guoqi Beijing Intelligent Network Association Automotive Research Institute Co ltd filed Critical Guoqi Beijing Intelligent Network Association Automotive Research Institute Co ltd
Priority to CN202011461454.0A priority Critical patent/CN112600838B/en
Publication of CN112600838A publication Critical patent/CN112600838A/en
Application granted granted Critical
Publication of CN112600838B publication Critical patent/CN112600838B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0457Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for encrypting CAN bus data, a storage medium and electronic equipment, wherein the method comprises the following steps: acquiring a root key and a secret factor periodically transmitted by a main node; generating a key stream according to a root key and the secret factor based on a confidentiality algorithm of the grand bust algorithm; encrypting plaintext data according to the key stream; and decrypting the ciphertext data according to the key stream. By implementing the method and the device, the CAN bus data are encrypted by adopting the ZUchong algorithm, the safety problem of data transmission by adopting the CAN bus is solved, an attacker is prevented from obtaining the control authority of the automobile through the CAN bus, and the safety risk of data transmission is reduced. Meanwhile, the encryption method of the CAN bus data provided by the embodiment of the invention CAN also carry out replay attack judgment in a mode of setting counting information, thereby further ensuring the safety of CAN data transmission.

Description

CAN bus data encryption method and device, storage medium and electronic equipment
Technical Field
The invention relates to the technical field of CAN bus communication, in particular to an encryption method and device of CAN bus data, a storage medium and electronic equipment.
Background
The CAN is a short name for Controller Area Network (CAN), and the CAN bus protocol is a serial communication bus based on a message broadcast mode invented by BOSCH corporation. The Electronic Control Unit (ECU) is originally used for realizing reliable communication between Electronic Control Units (ECUs) in automobiles, and is widely applied to the fields of automobiles, industrial automation, ships, medical treatment and the like due to the characteristics of simplicity, practicability, reliability and the like, and finally becomes an international standard (ISO 11898).
Nowadays, almost all automobile manufacturers adopt a CAN bus to realize data communication between an automobile internal control system and each execution unit. With the acceleration of automobile intelligentization and networking processes, information safety in automobiles faces a severe examination. At present, most CAN bus data are communicated in a plaintext mode without any safety processing. Therefore, an attacker CAN obtain the control authority of the automobile through the CAN bus, and great safety risk is achieved.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for encrypting CAN bus data, a storage medium, and an electronic device, so as to solve the technical problem in the prior art that there is a large security risk when a CAN bus is used to transmit data.
The technical scheme provided by the invention is as follows:
the first aspect of the embodiments of the present invention provides an encryption method for CAN bus data, where the encryption method includes: acquiring a root key and a secret factor periodically transmitted by a main node; generating a key stream according to the root key and the secret factor based on a confidentiality algorithm of a grandfather algorithm; and encrypting plaintext data according to the key stream.
Optionally, the method for encrypting the CAN bus data further includes: and decrypting the ciphertext data according to the key stream.
Optionally, the secret factor obtained for each period includes: the key management method comprises the steps of firstly, periodically sending a first periodic key, a second periodic key, a third periodic key and three periodic cyclic redundancy check codes; after the secret factors periodically sent by the master node and the root key are obtained, the method further comprises the following steps: judging whether the secret factor sent by the master node in the current period is completely consistent with the secret factor sent by the master node in the previous period; when the secret factors are not completely consistent, determining the number of updated secret factors sent by the master node in the current period; when the updated number is a first preset value, obtaining a periodic key of a first period; when the updated number is a second preset value, obtaining a period key of a first period and a second period, wherein the second preset value is larger than the first preset value; and when the updated number is a third preset value, obtaining the cycle key of the first cycle, the second cycle and the third cycle, wherein the third preset value is larger than the second preset value.
Optionally, the generating a key stream according to the root key and the secret factor based on a confidentiality algorithm of the grandfather algorithm includes: determining a confidentiality key of a confidentiality algorithm of the grandfather's algorithm according to the root key; determining a counter parameter of a confidentiality algorithm of the grandfather algorithm according to a period key of one period in the secret factor; determining an initial vector of a confidentiality algorithm of the grand dashing algorithm according to the counter parameter, the bearing layer identification parameter and the transmission direction identification; and generating a key stream according to the confidentiality key and the initial vector.
Optionally, encrypting plaintext data according to the key stream includes: acquiring plaintext data to be encrypted; obtaining node information corresponding to plaintext data according to a sending node of the plaintext data; obtaining plaintext counting information according to the occurrence times of the node information of the plaintext data; calculating to obtain a cyclic redundancy check code of the plaintext data according to the plaintext data; encrypting the ciphertext data according to the key stream to obtain encrypted data; and obtaining ciphertext data according to the encrypted data, the plaintext counting information and the cyclic redundancy check code.
Optionally, decrypting the ciphertext data according to the key stream includes: acquiring ciphertext data to be decrypted; decrypting the ciphertext data by adopting the current period key stream according to the key stream synchronization state to obtain a cyclic redundancy check code; judging whether the cyclic redundancy check code is correct or not; and when the cyclic redundancy check code is incorrect, decrypting the ciphertext data according to other periodic key streams until the cyclic redundancy check code is correct.
Optionally, the method for encrypting the CAN bus data further includes: obtaining node information corresponding to the ciphertext data according to the sending node of the ciphertext data; obtaining ciphertext counting information according to the occurrence times of the node information of the ciphertext data; judging whether the ciphertext counting information is equal to plaintext counting information in the acquired ciphertext data or meets a first relation; attack information is obtained when the two are equal or satisfy a first relationship.
A second aspect of an embodiment of the present invention provides an encryption system for CAN bus data, where the encryption system includes: the factor acquisition module is used for acquiring a root key and a secret factor periodically transmitted by the main node; the secret key stream generation module is used for generating a secret key stream according to the root secret key and the secret factor based on a confidentiality algorithm of a grandma algorithm; and the encryption module is used for encrypting the plaintext data according to the key stream.
A third aspect of the embodiments of the present invention provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are configured to cause a computer to execute the method for encrypting CAN bus data according to any one of the first aspect and the first aspect of the embodiments of the present invention.
A fourth aspect of an embodiment of the present invention provides an electronic device, including: the CAN bus encryption method comprises a memory and a processor, wherein the memory and the processor are connected in communication with each other, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the CAN bus data encryption method according to the first aspect of the embodiment of the invention.
The technical scheme provided by the invention has the following effects:
according to the CAN bus data encryption method, device, storage medium and electronic equipment provided by the embodiment of the invention, CAN bus data are encrypted by adopting the ZUZUZUZU algorithm, so that the safety problem of data transmission by adopting the CAN bus is solved, an attacker is prevented from obtaining the control authority of an automobile through the CAN bus, and the safety risk of data transmission is reduced. Meanwhile, the encryption method of the CAN bus data provided by the embodiment of the invention CAN also carry out replay attack judgment in a mode of setting counting information, thereby further ensuring the safety of CAN data transmission.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of an encryption method of CAN bus data according to an embodiment of the present invention;
fig. 2 is a flowchart of an encryption method of CAN bus data according to another embodiment of the present invention;
fig. 3 is a block diagram showing the structure of an encryption/decryption apparatus for CAN bus data according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a computer-readable storage medium provided according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides an encryption method of CAN bus data, as shown in figure 1, the encryption method comprises the following steps:
step S101: acquiring a root key and a secret factor periodically transmitted by a main node; specifically, the CAN bus may be a CAN bus device integrated in an automobile, and is used for communication of node devices such as a gateway and an ECU in the automobile. When the node equipment in the automobile needs to transmit data through the CAN bus, the encryption and decryption method CAN be used for encryption and decryption. The encryption and decryption method can be realized by arranging an encryption and decryption component in the automobile.
In an embodiment, when the component needs to be used for encryption and decryption, the component is initialized to obtain the root key and the secret factor periodically sent by the master node. Wherein, the root key can be read from a hardware security module or FLASH for storing the root key. And the master node equipment in the gateway or the ECU in the automobile can generate random numbers at regular time and send the generated random numbers to the encryption and decryption component in a broadcast manner to obtain the secret factors required by encryption.
In one particular embodiment, the master node device broadcasts a 64-bit secret factor each time, where the first 48 bits are used to encrypt the algorithm key stream and the last 16 bits are the first 48 bits of a CRC check (cyclic redundancy check). Specifically, as shown in table 1, a secret factor of 64 bits may be used to derive a cycle key and crc16 checks for three cycles, i.e., the first cycle, the second cycle, and the third cycle, respectively.
TABLE 1
Figure BDA0002823567880000051
Figure BDA0002823567880000061
After the master node device broadcasts a periodic secret factor, for example after 5 seconds, the master node discards the secret factors bit 0-bit 7; bit 8-bit 47 are shifted forward by 8 bits as a whole, and 8-bit random numbers are acquired again to cover bit 40-bit 47, and broadcast again after recalculating CRC 16. In addition, the number of secret factors and the transmission period that the master node device transmits per cycle may also be other values, which is not limited in the embodiment of the present invention.
In one embodiment, when computing the key stream by using the ancestry algorithm, a secret factor of 32 bits is required to generate a confidentiality key, i.e. a periodic key of one period is required, so in order to avoid generating the same key stream, the obtained secret factor needs to be judged, and periodic keys of different periods are generated. Specifically, as shown in fig. 2, after the step S101 acquires the root key and the secret factor periodically transmitted by the master node, the method further includes the following steps:
step S201: judging whether the secret factor sent by the master node in the current period is completely consistent with the secret factor sent by the master node in the previous period; specifically, for the acquired secret factor of one cycle transmitted by the master node, the 48-bit secret factor as the cycle key may be checked to determine whether it completely matches the secret factor of the previous cycle transmitted by the master node, and if it completely matches, it indicates that the secret factor is not updated, at this time, the secret factor acquired in the cycle may be discarded, and the secret factor of the next cycle transmitted may be acquired again.
Step S202: when the secret factors are not completely consistent, determining the number of updated secret factors sent by the master node in the current period; if the secret factors do not match each other completely, it is described that the secret factor transmitted in the period is updated, and in this case, the number of updates of the secret factor needs to be determined. Since the master node re-acquires the 8-bit random number covering bit 40-bit 47 at the time of broadcast transmission, the number of updated secret factors should be a multiple of 8.
Step S203, when the updated number is a first preset value, obtaining a period key of a first period; specifically, when it is determined that the number of secret factor updates is 8, it is described that the secret factor acquired at this time updates the cycle key of one cycle, and the updated 8-bit secret factor and 24 bits before the 8 bits can be added together to form the cycle key of one cycle, so that the cycle key of one cycle can be updated.
Step S204, when the updated number is a second preset value, obtaining the period key of the first period and the second period, wherein the second preset value is larger than the first preset value; specifically, when it is determined that the number of secret factor updates is 16, which indicates that the secret factor acquired at this time updates the period key of two periods, each 8 bits of the updated 16 bits and the preceding 24 bits may together form the period key of one period, and thus, the period keys of two periods may be updated.
Step S205: and when the updated number is a third preset value, obtaining the cycle key of the first cycle, the second cycle and the third cycle, wherein the third preset value is larger than the second preset value. Specifically, when it is determined that the number of secret factor updates is 24 or greater than 24, which indicates that the secret factor acquired at this time updates the cycle key for three cycles, each 8 bits of the updated 24 bits and the preceding 24 bits may together form the cycle key for one cycle, and thus, the cycle key for three cycles may be updated.
Step S102: generating a key stream according to a root key and a secret factor based on a confidentiality algorithm of the grand bust algorithm; in one embodiment, after the encryption/decryption component determines that the periodic key is updated for a period, the encryption/decryption component may generate the keystream using the periodic key using a confidentiality algorithm that employs a grand rush algorithm.
In an embodiment, for the confidentiality algorithm of the grand bust algorithm, the obtained root key may be used as the Confidentiality Key (CK), and meanwhile, a periodic key of one period, that is, a secret factor of 32 bits, is used as a counter (count) of the confidentiality algorithm, and a parameter bearer layer identifier (bearer) and a transmission direction identifier (direction) in the algorithm are set to 0. Then initializing by adopting a confidentiality KEY CK, a parameter bearing layer identifier and a transmission direction identifier, and constructing an initial KEY KEY and an initial vector IV of the grand dashing algorithm; and finally, generating a KEY stream for encryption and decryption by using the generated initial KEY KEY and the initial vector IV.
Step S103: encrypting plaintext data according to the key stream; in a specific embodiment, when performing encryption, plaintext data to be encrypted is obtained first, and the encryption and decryption component supports that the length of the encrypted plaintext data is n bytes, where 1 < ═ n < > 7. Therefore, when the encryption operation is performed, n bytes of plaintext data are called for encryption.
In an embodiment, before encryption, node information of the node device sending the plaintext data, for example, an ID of the node device, is obtained, and then whether the node information is stored is searched in the component, that is, whether the data of the node device is encrypted or decrypted is determined. When the node information is not found, a new node information may be created in the component and the node ID is saved, while the count cnt is saved to 0. If the node information is found, the data of the node is encrypted and decrypted, the stored cnt can be searched from the node, and the new count is stored as cnt +1 stored in the node. After the count cnt is determined, the crc of the plaintext data is calculated based on the plaintext data for subsequent data verification when decrypting the encrypted plaintext data.
In one embodiment, it can be known from the above steps 201 to 205 that the secret factor transmitted periodically according to the master node can generate a periodic key of one period, two periods, or three periods, and the keystream of the corresponding period number can be generated according to the corresponding periodic key by using the algorithm of ancestry. After the key stream of the corresponding number of cycles is acquired, it may be saved. During encryption, the key stream with the length of the plaintext data CAN be read from the key stream in the current period to perform exclusive or operation with the plaintext data, so that encryption of CAN bus data is completed, and encrypted data is obtained. Meanwhile, the calculated crc and cnt can form a byte, and the byte and the encrypted data form ciphertext data to be output.
In one embodiment, there are n bytes for the plaintext data to be encrypted, and the ciphertext data comprises n +1 bytes, with an additional one byte comprising the cnt and crc of the computed plaintext data, the cnt and crc occupying 4 bits, respectively. The node information of the node device stored in the encryption and decryption component may specifically include an ID of the node, a cnt stored in the node, and a key synchronization state of the node. Wherein the key synchronization state comprises a number of cycles of the current keystream saved.
Step S104: and decrypting the ciphertext data according to the key stream.
In an embodiment, during decryption, a key stream of one period may be selected from the stored key stream to decrypt ciphertext data according to the key synchronization state, and a cyclic redundancy check code is generated according to the decrypted data, and the check code is compared with crc attached to the encrypted data to determine whether the two are the same, and if the two are the same, it indicates that the decrypted key stream is correct, and correct plaintext data is obtained. If the two are different, the adopted key stream is wrong, and at the moment, the stored key stream in other periods is selected according to the synchronous state to decrypt data until a correct check code is obtained. If no key stream of other periods is found according to the synchronization state, the decryption process can be terminated.
In an embodiment, before decryption, node information of the node device that sends the ciphertext data is obtained, for example, an ID of the node device, and then whether the node information is stored is searched in the component, that is, whether the data of the node device is encrypted or decrypted is determined. When the node information is not found, a new node information can be created in the component and the node ID is saved, while the count scnt is saved as 0. If the node information is found, the data of the node is encrypted and decrypted, and the stored cnt can be searched from the node and recorded as scnt.
In one embodiment, after the decryption check is passed, a replay attack determination may also be made based on the count information. Specifically, when the corresponding node information is not found in the component before decryption, it is considered that no replay attack has occurred. If the corresponding node information is found before decryption, the cnt attached to the encrypted data can be acquired, the cnt and the value of the scnt acquired before decryption are compared, and if the two values are equal or the cnt and the scnt meet the relation (cnt-scnt)% 0x10 > 8, the method can be regarded as replay attack.
According to the encryption method of the CAN bus data, provided by the embodiment of the invention, the CAN bus data are encrypted by adopting the ZUZUC algorithm, so that the safety problem of data transmission by adopting the CAN bus is solved, an attacker is prevented from obtaining the control authority of an automobile through the CAN bus, and the safety risk of data transmission is reduced. Meanwhile, the encryption method of the CAN bus data provided by the embodiment of the invention CAN also carry out replay attack judgment in a mode of setting counting information, thereby further ensuring the safety of CAN data transmission.
An embodiment of the present invention further provides an encryption system for CAN bus data, as shown in fig. 3, the encryption system includes:
the factor acquiring module 1 is used for acquiring a root key and a secret factor periodically transmitted by a main node; for details, refer to the related description of step S101 in the above method embodiment.
A key stream generation module 2, configured to generate a key stream according to the root key and the secret factor based on a confidentiality algorithm of a grandma algorithm; for details, refer to the related description of step S102 in the above method embodiment.
The encryption module 3 is used for encrypting plaintext data according to the key stream; for details, refer to the related description of step S103 in the above method embodiment.
And the decryption module 4 is used for decrypting the ciphertext data according to the key stream. For details, refer to the related description of step S104 in the above method embodiment.
According to the encryption system of the CAN bus data provided by the embodiment of the invention, the CAN bus data is encrypted by adopting the ZUZUC algorithm, so that the safety problem of data transmission by adopting the CAN bus is solved, an attacker is prevented from obtaining the control authority of an automobile through the CAN bus, and the safety risk of data transmission is reduced. Meanwhile, the encryption and decryption system of the CAN bus data provided by the embodiment of the invention CAN also carry out replay attack judgment in a mode of setting counting information, thereby further ensuring the safety of CAN data transmission.
The function description of the encryption system of the CAN bus data provided by the embodiment of the invention refers to the description of the encryption method of the CAN bus data in the above embodiment in detail.
An embodiment of the present invention further provides a storage medium, as shown in fig. 4, on which a computer program 601 is stored, where the instructions are executed by a processor to implement the steps of the method for encrypting CAN bus data in the foregoing embodiment. The storage medium is also stored with audio and video stream data, characteristic frame data, an interactive request signaling, encrypted data, preset data size and the like. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a flash Memory (FlashMemory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid-State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
An embodiment of the present invention further provides an electronic device, as shown in fig. 5, the electronic device may include a processor 51 and a memory 52, where the processor 51 and the memory 52 may be connected by a bus or in another manner, and fig. 5 takes the connection by the bus as an example.
The processor 51 may be a Central Processing Unit (CPU). The Processor 51 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 52, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as the corresponding program instructions/modules in the embodiments of the present invention. The processor 51 executes various functional applications and data processing of the processor, namely, implements the encryption method of the CAN bus data in the above-described method embodiments, by running the non-transitory software programs, instructions, and modules stored in the memory 52.
The memory 52 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 51, and the like. Further, the memory 52 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 52 may optionally include memory located remotely from the processor 51, and these remote memories may be connected to the processor 51 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 52 and when executed by the processor 51 perform a method of encrypting CAN bus data as in the embodiment of fig. 1-2.
The details of the electronic device may be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 1 to fig. 2, and are not described herein again.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. A method for encrypting CAN bus data is characterized by comprising the following steps:
acquiring a root key and a secret factor periodically transmitted by a main node;
generating a key stream according to the root key and the secret factor based on a confidentiality algorithm of a grandfather algorithm;
and encrypting plaintext data according to the key stream.
2. The method of encrypting CAN bus data according to claim 1, further comprising: and decrypting the ciphertext data according to the key stream.
3. The method of encrypting CAN bus data of claim 1, wherein the secret factor for each cycle obtained comprises: the key management method comprises the steps of firstly, periodically sending a first periodic key, a second periodic key, a third periodic key and three periodic cyclic redundancy check codes;
after the secret factors periodically sent by the master node and the root key are obtained, the method further comprises the following steps:
judging whether the secret factor sent by the master node in the current period is completely consistent with the secret factor sent by the master node in the previous period;
when the secret factors are not completely consistent, determining the number of updated secret factors sent by the master node in the current period;
when the updated number is a first preset value, obtaining a periodic key of a first period;
when the updated number is a second preset value, obtaining a period key of a first period and a second period, wherein the second preset value is larger than the first preset value;
and when the updated number is a third preset value, obtaining the cycle key of the first cycle, the second cycle and the third cycle, wherein the third preset value is larger than the second preset value.
4. The method for encrypting CAN bus data according to claim 3, wherein generating a key stream based on the root key and the secret factor based on a confidentiality algorithm of an ancestor algorithm comprises:
determining a confidentiality key of a confidentiality algorithm of the grandfather's algorithm according to the root key;
determining a counter parameter of a confidentiality algorithm of the grandfather algorithm according to a period key of one period in the secret factor;
determining an initial vector of a confidentiality algorithm of the grand dashing algorithm according to the counter parameter, the bearing layer identification parameter and the transmission direction identification;
and generating a key stream according to the confidentiality key and the initial vector.
5. The method of encrypting CAN bus data according to claim 2, wherein encrypting plaintext data based on the key stream comprises:
acquiring plaintext data to be encrypted;
obtaining node information corresponding to plaintext data according to a sending node of the plaintext data;
obtaining plaintext counting information according to the occurrence times of the node information of the plaintext data;
calculating to obtain a cyclic redundancy check code of the plaintext data according to the plaintext data;
encrypting the ciphertext data according to the key stream to obtain encrypted data;
and obtaining ciphertext data according to the encrypted data, the plaintext counting information and the cyclic redundancy check code.
6. The method of claim 5, wherein decrypting ciphertext data according to the keystream comprises:
acquiring ciphertext data to be decrypted;
decrypting the ciphertext data by adopting the current period key stream according to the key stream synchronization state to obtain a cyclic redundancy check code;
judging whether the cyclic redundancy check code is correct or not;
and when the cyclic redundancy check code is incorrect, decrypting the ciphertext data according to other periodic key streams until the cyclic redundancy check code is correct.
7. The method of encrypting CAN bus data according to claim 6, further comprising:
obtaining node information corresponding to the ciphertext data according to the sending node of the ciphertext data;
obtaining ciphertext counting information according to the occurrence times of the node information of the ciphertext data;
judging whether the ciphertext counting information is equal to plaintext counting information in the acquired ciphertext data or meets a first relation;
attack information is obtained when the two are equal or satisfy a first relationship.
8. A system for encrypting CAN bus data, comprising:
the factor acquisition module is used for acquiring a root key and a secret factor periodically transmitted by the main node;
the secret key stream generation module is used for generating a secret key stream according to the root secret key and the secret factor based on a confidentiality algorithm of a grandma algorithm;
and the encryption module is used for encrypting the plaintext data according to the key stream.
9. A computer-readable storage medium storing computer instructions for causing a computer to execute the method for encrypting CAN bus data according to any one of claims 1 to 7.
10. An electronic device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, the processor executing the computer instructions to perform the method for encrypting CAN bus data according to any one of claims 1 to 7.
CN202011461454.0A 2020-12-08 2020-12-08 CAN bus data encryption method and device, storage medium and electronic equipment Active CN112600838B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011461454.0A CN112600838B (en) 2020-12-08 2020-12-08 CAN bus data encryption method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011461454.0A CN112600838B (en) 2020-12-08 2020-12-08 CAN bus data encryption method and device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112600838A true CN112600838A (en) 2021-04-02
CN112600838B CN112600838B (en) 2023-02-14

Family

ID=75192845

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011461454.0A Active CN112600838B (en) 2020-12-08 2020-12-08 CAN bus data encryption method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112600838B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794734A (en) * 2021-09-26 2021-12-14 上汽通用五菱汽车股份有限公司 Vehicle-mounted CAN bus encryption communication method, control device and readable storage medium
CN114142998A (en) * 2021-11-26 2022-03-04 北京神经元网络技术有限公司 Data encryption processing method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110057348A (en) * 2009-11-24 2011-06-01 한국전자통신연구원 Can communication security apparatus and can communication security method
CN106453326A (en) * 2016-10-19 2017-02-22 中国第汽车股份有限公司 Authentication and access control method for CAN (Controller Area Network) bus
CN106549940A (en) * 2016-10-13 2017-03-29 北京奇虎科技有限公司 Vehicle data transmission method and system
CN111865922A (en) * 2020-06-23 2020-10-30 国汽(北京)智能网联汽车研究院有限公司 Communication method, device, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110057348A (en) * 2009-11-24 2011-06-01 한국전자통신연구원 Can communication security apparatus and can communication security method
CN106549940A (en) * 2016-10-13 2017-03-29 北京奇虎科技有限公司 Vehicle data transmission method and system
CN106453326A (en) * 2016-10-19 2017-02-22 中国第汽车股份有限公司 Authentication and access control method for CAN (Controller Area Network) bus
CN111865922A (en) * 2020-06-23 2020-10-30 国汽(北京)智能网联汽车研究院有限公司 Communication method, device, equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794734A (en) * 2021-09-26 2021-12-14 上汽通用五菱汽车股份有限公司 Vehicle-mounted CAN bus encryption communication method, control device and readable storage medium
CN114142998A (en) * 2021-11-26 2022-03-04 北京神经元网络技术有限公司 Data encryption processing method and device, electronic equipment and storage medium
CN114142998B (en) * 2021-11-26 2024-03-15 北京神经元网络技术有限公司 Data encryption processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112600838B (en) 2023-02-14

Similar Documents

Publication Publication Date Title
KR102316872B1 (en) Controller area network bus-based secure communication method, apparatus and system
CN108075897B (en) Controller area network message authentication
US9252945B2 (en) Method for recognizing a manipulation of a sensor and/or sensor data of the sensor
US9596075B2 (en) Transparent serial encryption
US10057071B2 (en) Component for connecting to a data bus, and methods for implementing a cryptographic functionality in such a component
CN112688845B (en) Communication method and device of vehicle-mounted CAN network
US10623187B2 (en) Generating cryptographic checksums
CN112600838B (en) CAN bus data encryption method and device, storage medium and electronic equipment
CN111404952B (en) Transformer substation data encryption transmission method and device, computer equipment and storage medium
WO2020155622A1 (en) Method, device and system for enhancing security of image data transmission, and storage medium
EP3624391A1 (en) Public/private key system with decreased encrypted message size
CN112715016B (en) Key Encapsulation Protocol
US20150350241A1 (en) Data frame for protected data transmissions
Xiao et al. Session key distribution made practical for CAN and CAN-FD message authentication
CN113632419A (en) Device and method for generating and authenticating at least one data packet to be transmitted in a BUs system (BU), in particular of a motor vehicle
CN109981671B (en) Data processing method based on encryption machine and encryption machine
US10581609B2 (en) Log message authentication with replay protection
CN116488919B (en) Data processing method, communication node and storage medium
CN111865557B (en) Verification code generation method and device
CN116709312A (en) Safety protection method and device and electronic equipment
US20150220755A1 (en) Solution for security, safe and time integrity communications in automotive environments
CN111949996A (en) Generation method, encryption method, system, device and medium of security private key
CN113784342B (en) Encryption communication method and system based on Internet of things terminal
CN114938265A (en) CAN bus safety protection method, device and storage medium
CN113489589A (en) Data encryption and decryption method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant