Secure Authentication in the Presence of Malicious Messages and Packet Reorders: Study on CAN Bus

Abstract

Message authentication is fundamental for securing modern automotive networks. Our work focuses on integrating buffering in existing authentication protocols to sustain the presence of malicious or corrupt messages, and arbitrary packet swaps in the in-vehicle network. The proposed extension applies to the popular vatiCAN protocol, and other CAN bus authentication protocols, which use separate messages for transferring packet information and authentication data. The proposed extension uses one or more, independent Finite State Machines (FSMs) at each receiver node to temporarily store and subsequently validate message pairs, i.e., a legitimate data packet L with its hashed-based message authentication code (HMAC) packet H. The proposed methodology is evaluated experimentally on a Raspberry Pi-based Electronic Control Unit (ECU) with CAN interfaces. We examine key design parameters, such as the LH swap rate, the malicious rate, and queue configuration options, such as the queue size and flush policy. Results show that the protocol extension improves authentication. When the queue size is below 5, the LH swap rate is up to 50%, and 50% of malicious packets are introduced, the validated packet rate is low (5%). However, if the queue size exceeds 20, the verified packet rate reaches 100%, regardless of other parameters. The increased queue size has a minimal effect on latency, which increases by a few ms on average, and on false positives, which remain below 10-9. Statistical models help evaluate queue size bounds for worst-case scenarios, strengthening our experimental findings.