DE102006021297A1 - Full-transparent, coded, multi-masterable communication providing method, involves performing code exchange in initialization phase, where authentication takes place during initialization of cipher, which is made possible by secret code - Google Patents
Full-transparent, coded, multi-masterable communication providing method, involves performing code exchange in initialization phase, where authentication takes place during initialization of cipher, which is made possible by secret code Download PDFInfo
- Publication number
- DE102006021297A1 DE102006021297A1 DE200610021297 DE102006021297A DE102006021297A1 DE 102006021297 A1 DE102006021297 A1 DE 102006021297A1 DE 200610021297 DE200610021297 DE 200610021297 DE 102006021297 A DE102006021297 A DE 102006021297A DE 102006021297 A1 DE102006021297 A1 DE 102006021297A1
- Authority
- DE
- Germany
- Prior art keywords
- bus
- initialization
- cipher
- controller
- takes place
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
Abstract
Description
Ausführungsbeispiele der Erfindung sind in den Zeichnungen dargestellt und werden im folgenden näher beschrieben. Es zeigenembodiments The invention are illustrated in the drawings and are in following closer described. Show it
Jede
Komponente (
Da
keine zusätzliche
Verzögerung
durch die Verschlüsselung
bedingt sein darf, muss diese taktsynchron mit dem aktuellen Buszyklus
geschehen. Aus diesem Grund ist nur eine on-the-fly-Verschlüsselung über eine
Stromchiffre (
Bevor die Kommunikation auf dem Bus verschlüsselt werden kann, müssen sich alle sicheren Buscontroller auf einen gemeinsamen Schlüssel als Initialisierung für die Stromchiffre einigen. Ein gemeinsamer Schlüssel ist notwendig, damit jede Einheit beliebig mit anderen Einheiten kommunizieren kann. Für den Schlüsselaustausch sind verschiedene Verfahren denkbar. Aufgrund der begrenzten Ressourcen in einem Chip sollten jedoch besonders für den Hardwarebereich optimierte Verfahren gewählt werden. Konkret lässt sich z. B. das Tree Parity Machine-Verfahren für diesen Zweck einsetzen.Before The communication on the bus can be encrypted all secure bus controllers to a common key as initialization for the Some stream cipher. A common key is necessary for each Unit can freely communicate with other units. For the key exchange Various methods are conceivable. Due to the limited resources in a chip, however, should be optimized especially for the hardware area Procedure to be chosen. Specifically lets z. For example, use the Tree Parity Machine method for this purpose.
Bei der Initialisierung ist Kommunikation zwischen den sicheren Buscontrollern erforderlich. Hierbei ist entscheidend, dass diese Kommunikation ebenfalls über den vorhandenen Bus ablaufen kann, ohne Änderungen am Busprotokoll vornehmen zu müssen. Erreicht wird dies, indem jeder sichere Buscontroller auf dem Bus eine Adresse zugewiesen bekommt, unter der er erreichbar ist. Diese Adresse ist unabhängig von der Adresse der Komponente, in der er sich befindet. Sollte der Adressbereich eines Bussystems nicht ausreichen, um zusätzliche Adressen für die sicheren Buscontroller zu vergeben, so ist es auch möglich, die gesamte Kommunikation vor einem erfolgreichen Schlüsselaustausch als dedizierte Kommunikation für die sicheren Buscontroller zu betrachten. Sobald der Schlüsselaustausch vollzogen ist, schalten alle Einheiten dann in den normalen Kommunikationsmodus um.at initialization is communication between the secure bus controllers required. Here it is crucial that this communication also over the existing bus can run without making changes to the bus protocol to have to. This is achieved by having every secure bus controller on the bus gets an address under which it is reachable. These Address is independent from the address of the component in which it is located. Should the address range of a bus system is insufficient to provide additional Addresses for It is also possible to assign the secure bus controllers entire communication before a successful key exchange as dedicated communication for to consider the secure bus controllers. Once the key exchange completed, all units then switch to normal communication mode around.
Einer
der sicheren Buscontroller muss hierbei als Initiator des Schlüsselaustausches
fungieren. Da ein Bussystem in den häufigsten Fällen nicht dynamisch ist, kann
man die Initiatorkomponenten schon während der Entwicklung festlegen.
In den meisten Fällen
wählt man
hierfür
die Komponente des Busses, welche Master-Zugriff besitzt. Dies kann z.
B. der Prozessor sein oder der Bus Arbiter. Dies ist vorteilhaft,
weil somit der Kommunikation während der
Initialisierung Vorrang gegeben werden kann. Die Logik für den Schlüsselaustausch
wird im Controller (
Solange die einzelnen sicheren Buscontroller sich noch nicht auf einen gemeinsamen Schlüssel geeinigt haben, kann keine verschlüsselte Kommunikation stattfinden. Da die Verschlüsselung jedoch transparent für die einzelnen Komponenten ist, kann es sein, dass diese schon während einer noch laufenden Initialisierung über den Bus kommunizieren möchten. In diesem Fall muss der sichere Buscontroller alle Zugriffe auf Komponenten auf dem Bus, welche nur verschlüsselt ausgeführt werden dürfen, verzögern bzw. in ihrer Priorität herunterstufen, so dass die Komponente es zu einem späteren Zeitpunkt noch einmal versucht. Dann könnte die Initialisierung eventuell schon abgeschlossen sein.So long the individual secure bus controllers are not yet on a common Key agreed can not have encrypted Communication take place. However, the encryption is transparent for the individual components, it may be that this already during a still ongoing initialization over want to communicate the bus. In this case, the secure bus controller must access all Components on the bus, which are executed only encrypted may, delay or in their priority downgrade, so that the component it at a later date tried again. Then could the initialization may already be completed.
Während des normalen Betriebes muss sichergestellt sein, dass alle sicheren Buscontroller die Stromchiffre-Schlüssel kontinuierlich weiterschalten, auch wenn sie gerade nicht aktiv an einer Übertragung beteiligt sind. Dies ist erforderlich aufgrund der symmetrischen Gestalt der Architektur. Als gemeinsame Signalisierung lassen sich z. B. Signale des Busses verwenden, die einen abgeschlossenen Transfer kennzeichnen und an allen Einheiten am Bus verfügbar sind. Sollte so ein Signal nicht zur Verfügung stehen, so kommt auch der gemeinsame Bustakt als Synchronisationssignal in Frage.During the normal operation must be ensured that all safe Bus controllers continue to switch the stream cipher keys, too if you are not actively involved in a transfer. This is necessary due to the symmetrical shape of the architecture. As a common signaling can be z. B. signals of the bus use and mark a completed transfer all units available on the bus are. If such a signal is not available, so will come the common bus clock as a synchronization signal in question.
Mit einfachen Mitteln lässt sich eine Authentifizierung realisieren. Hierzu werden bei der Fertigung der Komponenten mit den sicheren Buscontrollern spezielle nichtflüchtige Speicherzellen eingebaut, die später mit einem Identifizierungsschlüssel belegt werden können. Ein Schlüssel kann aber auch direkt bei der Fertigung in den Chip integriert werden. Während der Initialisierungsphase wird diese Identifikationsinformation zum Schlüsselaustausch verwendet. Sollte die Information nicht übereinstimmen, so kann kein Schlüssel ausgetauscht werden. In Frage käme hierfür z. B. die Authentifizierungsmöglichkeit beim Tree Parity Machine Schlüsselaustausch. Jedoch auch ein Challenge-Response-Verfahren mit einer Hashfunktion ist einsetzbar. Der Initiator muss dieses dann mit jedem einzelnen sicheren Buscontroller durchführen.With simple means an authentication can be realized. For this purpose, when manufacturing the components with the safe bus controllers special non-volatile memory cells are installed, which can be assigned later with an identification key. A key can also be integrated directly into the chip during production. During the initialization phase, this identifi cation information used for key exchange. If the information does not match, no key can be exchanged. In question for this z. B. the authentication option when Tree Parity Machine key exchange. However, a challenge-response method with a hash function can also be used. The initiator must then do this with every single secure bus controller.
Claims (2)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE200610021297 DE102006021297A1 (en) | 2006-05-08 | 2006-05-08 | Full-transparent, coded, multi-masterable communication providing method, involves performing code exchange in initialization phase, where authentication takes place during initialization of cipher, which is made possible by secret code |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE200610021297 DE102006021297A1 (en) | 2006-05-08 | 2006-05-08 | Full-transparent, coded, multi-masterable communication providing method, involves performing code exchange in initialization phase, where authentication takes place during initialization of cipher, which is made possible by secret code |
Publications (1)
Publication Number | Publication Date |
---|---|
DE102006021297A1 true DE102006021297A1 (en) | 2008-01-10 |
Family
ID=38805881
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
DE200610021297 Withdrawn DE102006021297A1 (en) | 2006-05-08 | 2006-05-08 | Full-transparent, coded, multi-masterable communication providing method, involves performing code exchange in initialization phase, where authentication takes place during initialization of cipher, which is made possible by secret code |
Country Status (1)
Country | Link |
---|---|
DE (1) | DE102006021297A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE3939828A1 (en) * | 1989-12-02 | 1991-06-06 | Ant Nachrichtentech | Data transmission with unauthorised access prevention - encoding all data after preamble and transmitting via bus system |
US20010003540A1 (en) * | 1999-11-30 | 2001-06-14 | Stmicroelectronics S.A. | Electronic security component |
DE19782075C2 (en) * | 1996-10-25 | 2001-11-08 | Intel Corp | A circuit and method for securing connection security within a multi-chip package of an integrated circuit |
DE102005013830A1 (en) * | 2005-03-24 | 2006-09-28 | Infineon Technologies Ag | Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream |
-
2006
- 2006-05-08 DE DE200610021297 patent/DE102006021297A1/en not_active Withdrawn
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE3939828A1 (en) * | 1989-12-02 | 1991-06-06 | Ant Nachrichtentech | Data transmission with unauthorised access prevention - encoding all data after preamble and transmitting via bus system |
DE19782075C2 (en) * | 1996-10-25 | 2001-11-08 | Intel Corp | A circuit and method for securing connection security within a multi-chip package of an integrated circuit |
US20010003540A1 (en) * | 1999-11-30 | 2001-06-14 | Stmicroelectronics S.A. | Electronic security component |
DE102005013830A1 (en) * | 2005-03-24 | 2006-09-28 | Infineon Technologies Ag | Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1959606B1 (en) | Safety unit | |
EP2689553B1 (en) | Motor vehicle control unit having a cryptographic device | |
EP3157192B1 (en) | Method and system for asymmetric key derivision | |
DE102008006840A1 (en) | Data transmission method and tachograph system | |
WO2014056593A1 (en) | Method for configuring a control unit, control unit and vehicle | |
DE102013002647B3 (en) | A motor vehicle with a vehicle communication bus and method for generating bus messages | |
DE102019100546A1 (en) | Activate or deactivate a feature of a vehicle | |
DE102011002713A1 (en) | Method for providing cryptographic credentials for electronic control unit (ECU) of vehicle e.g. electric car, has control unit that deactivates vehicle drive for deleting cryptographic credentials in vehicle safety management unit | |
DE10360120B3 (en) | Rolling code based method | |
DE19805464A1 (en) | Communication and diagnosis circuit for distributed electrical components e.g. in automobile | |
DE102006021297A1 (en) | Full-transparent, coded, multi-masterable communication providing method, involves performing code exchange in initialization phase, where authentication takes place during initialization of cipher, which is made possible by secret code | |
DE4034444C2 (en) | ||
DE102020112811B3 (en) | Method and system for authenticating at least one unit | |
DE102005034713A1 (en) | Function providing system for e.g. control device of motor vehicle, has information system with master function to generate command to activate and/or deactivate functions that are dedicated and not dedicated for component use, respectively | |
DE102017202239A1 (en) | Method and device for agreeing a common key between a first node and a second node of a computer network | |
DE10136384C2 (en) | Device for the computer-controlled generation of a large number of data records | |
DE102022206899A1 (en) | Method for using cryptographic keys in an in-vehicle communication network | |
DE102018209757B3 (en) | Protection of a vehicle component | |
EP1246391A1 (en) | Method and system for cryptographic data communication with a plurality of instances | |
WO2017063996A1 (en) | Method for generating a secret in a network comprising at least two transmission channels | |
WO2017102655A1 (en) | Microcontroller system and method for controlling memory access in a microcontroller system | |
EP2656555B1 (en) | Controlling apparatus and method | |
DE102014210863B4 (en) | Method and system for the secure transmission of data | |
DE102016123178A1 (en) | Encryption device for encrypting a data packet | |
DE102020214499A1 (en) | Method for generating keys and replacing participants in a network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
OM8 | Search report available as to paragraph 43 lit. 1 sentence 1 patent law | ||
8139 | Disposal/non-payment of the annual fee |