Embedded Systems Academy

NXP offers a Two-Part Webinar based on the LPC54000 series about CAN-FD and secure bootloaders.

Part I: “An intro to CAN-FD” will be held on Thursday, May 25, 5:00 PM – 6:00 PM CEST.
In this webinar CAN bus expert Andy Ayre from Embedded Systems Academy will give you a technical overview of the improvements and benefits of CAN-FD over classic CAN, and how to specifically leverage this new technology on the LPC54618 MCU.

Part II: “CAN stack porting and secure bootloaders” will be held on Thursday, June 29, 5:00 PM – 6:00 PM CEST.
Experts from Embedded Systems Academy explain the requirements for an implementation of secure and non-secure bootloaders in CAN and CAN-FD systems – leveraging the LPC546xx MCU family as an example.

Register now for these events on the NXP website at: http://www.nxp.com/support/training-events/online-academy/lpc54000-series-online-training:LPC54000-Series-Online-Training

The Embedded Systems Academy now has the commercial version of CANcrypt available. It includes the hardcover, full-color version of the book and examples for both, the pairing and grouping modes. Demo implementations are provided for various NXP LPC processors (LPC23xx, LPC17xx and LPC11Cxx), the STM32F0xx as well as for the PEAK PCAN basic library supporting PEAK CAN interfaces.

The pairing demo shows how a 128bit key is securely transmitted from one device to another. The grouping demo shows secure communication between three devices. Here security is based on a session key that is continuously updated and gets saved when ungrouping. You can find more information including the software manual and the license information in our online store at www.esacademystore.eu/CANcrypt-Commercial/en.

The last two weeks were very exciting for us: We held several papers at the International CAN Conference and Embedded World (both in Nuremberg, Germany), participated in the first CANopen FD demonstrator at both events – with the new NXP LPC54618 – and finally released our book “Implementing scalable CAN security with CANcrypt”.

The CANopen FD demonstrator at the CiA (CAN in Automation) booth showed one of the new features of CANopen FD: segmented broadcast of larger data blocks with “Universal Service Data Objects” (USDOs). This feature can be used to broadcast images, configuration tables or even firmware updates. Here, any participant could be commanded to broadcast an image to all other participants. Such use cases were almost unthinkable with classic CANopen communication.

At Embedded World, PHYTEC showed a Nano Dimension 3D printer for PCBs. Prototyping your printed circuit boards just became a lot easier and faster. The circuits are printed with a highly conductive ink. It looks like the machine can directly produce boards from Gerber files.

At the NXP booth, one of the demos featured the NXP LPC54618 microcontroller with two CAN FD interfaces. The “FD” (Flexible Data rate) allows the data portion of a CAN message to be transmitted at higher bit rates. So far, classical CAN was limited to 1 Mbps. With currently available transceivers the data rate can now be up to 5 Mbps. Also in CAN FD, the maximum payload for each message is 64 bytes compared to eight bytes in traditional CAN. The demo compared different firmware download speeds. Using CAN FD, updates can now be transferred multiple times faster than before.

The release of our book about CANcrypt (www.cancrypt.net) stirred a lot of interest and we had many engaged discussions, also with some security experts. CANcrypt is a security framework and the security level actually used is configurable. As usually, there is a trade-off: the more security you require, the more resources both in CPU time as well as in memory space you need. For a configuration on the upper end of security, proven encryption methods like AES-128 can be used. It will be interesting to see if the lower-end lightweight “Speck” cipher reaches adequate security levels, too.

A first potential weak spot in one of the initial published configurations (user section, where user’s are setting up their own security configuration) was already discovered and is currently improved. The encryption of the secure heartbeat accidentally used only limited parts of the shared dynamic key, reducing the effective key to 32-bit. However, CANcrypt supports key sizes of up to 1024-bit. The next release will use a demo where a larger key is applied properly.

To learn about our bounty program, stay tuned by joining our mailing list or following us on twitter . Within the next few weeks we will start such a program to encourage others to search for possible flaws in the CANcrypt implementation.

This spring, the tutors of ESAcademy present five CAN and CANopen related papers at the 16th international CAN Conference and the Embedded World Conference 2017.

16th iCC, 7th to 8th March 2017 in Nuremberg
www.can-cia.org/services/conferences/icc/icc-2017/

Bernhard Floeth (Opel) and Olaf Pfeiffer (ESAcademy):
Using an enhanced condensed device configuration file format for CANopen boot-loading and/or device testing
This paper presents the enhanced CDCF player integrated in our free CANopen File Player and CANopen Diag projects. It supports spreadsheet based (.csv) Object Dictionary access with active flow control. (Tuesday, March 07, 2017, Session II)

Andrew Ayre (ESAcademy):
Automated trace analysis for testing of CANopen devices
This paper presents a summary of the debug information extractable from CANopen trace recordings. The functionality described in this paper are implemented in our Logxaminer software. (Wednesday, March 08, 2017, Session VII)

Olaf Pfeiffer (ESAcademy) and Christian Keydel (ESAcademy):
Scalable security for CAN, CANopen, and other CAN protocols
This paper describes the main functionality of the CANcrypt security framework described in our book “Implementing Scalable
CAN Security with CANcrypt”. (Wednesday, March 08, 2017, Session VIII)

Meet our tutors at our tabletop display table at the conference.

Embedded World Conference 2017, 14th to 16th March 2017, Nuremberg
www.embedded-world.eu/program.html

Christian Keydel (ESAcademy):
Secure CANopen (FD) Bootloading
This paper shows how to adapt the security mechanisms introduced by CANcrypt to CANopen, CAN (FD) and bootloading. (THURSDAY, MARCH 16, 2017, Session 25/I)

Olaf Pfeiffer (ESAcademy):
CiA 447, the CANopen Standard for After-Market Automotive Applications
This paper summarizes the key features of the CANopen application profile CiA 447. These include wake-up and sleep mechanisms as well as plug-and play functionality. (THURSDAY, MARCH 16, 2017, Session 25/II)

Meet our tutors at the PEAK System booth (Hall 1, Booth 1-483)

We look forward to meeting you

We have released a new version of CANopen Architect, aimed at advanced users. The new Professional version builds upon the features found in the Standard version adding new functionality for quicker data entry and ideal for developers of CANopen products.

The Professional version can export Electronic Data Sheets as Word documents, allowing automatic generation of product manuals and internal documentation. Enter a descriptive text for each entry, choose the export options and save. The output can be used as a standalone manual or can be copied and pasted into an existing manual. Options are provided for using a template document and styling headings and tables.

A user-friendly PDO configuration window has been added. The new window allows quick and easy PDO creating and editing at a higher level than Object Dictionary entries. Mappings can be changed and reviewed without worrying about needing to keep the various underlying Object Dictionary entries consistent. Users of our CANopen Magic configuration and analysis tool will find the new window immediately familiar.

The new version provides an integrated command line interface allowing power users to quickly create and manipulate large amounts of PDOs. Commands can be placed into files and executed in a single step. Multiple commands for a variety of situations are provided and will be added to from time to time.

For details of the new features and to try the evaluation version please visit the CANopen Architect website.

Existing users of CANopen Magic Standard are able to upgrade. Please contact us for pricing.

A summary of the technical features used by CANcrypt

By Olaf Pfeiffer, Embedded Systems Academy GmbH, 26th of February 2016

At the Embedded World 2016 in Nuremberg, Embedded Systems Academy GmbH announced their book “Implementing Scalable CAN Security with CANcrypt”. The corresponding CANcrypt demo code will be published using an open license. At the Embedded World we have seen a lot of interest in the technical details. For those who do not want to wait until the publication of the book this article summarizes the key technical features of CANcrypt (also see our CANcrypt.eu web page for more information).

Core Functionality of CANcrypt

CANcrypt provides the following services:

• Pairing: dynamic generation of a random key that is only known by the paired devices; optionally, one device can enforce a preset key to the other.
  • generate and exchange keys
  • optional storing of keys in non-volatile memory for permanent pairing
  • support of a key hierarchy when multiple keys are stored
  • maintain dynamically changing key (pseudo one-time pad)
  • dynamic key updated using shared random bit
• Grouping: multiple devices share a common dynamic key
  • originally assigned through pairing
  • maintain dynamically changing key (pseudo one-time pad)
  • dynamic key cyclically updated by all grouped devices
• Safety communication: any secure communication uses a preamble message
  • messages received are only accepted and passed on to application if together with the preamble the authentication and decryption is verified successfully
  • preamble identifies message CAN ID, security features used, has a counter and a signature
  • secure messages must be received within 10ms after the preamble to be valid

CAN message IDs required:

• one CAN ID for each participating device
• used for preamble and control messages
• a CAN ID pair used for the random bit generation cycle

Cipher methods used

CANcrypt keys are symmetrical and dynamic, they are continuously updated. From the dynamic key and a message counter a pseudo one-time pad is generated that is used for the simple, customizable encryption.

If the secure pairing is only active for two nodes, a random bit generation cycle is used continuously in the background to introduce new bits to the dynamic key. If multiple nodes are paired, then the dynamic key update information is sent via an encrypted message.

The system pairing process is started using a CANcrypt configurator device. This can be done by a system builder or integrator once the CAN system is installed. It must happen in a secure environment. The keys generated at that time are stored locally in the devices connected – there is no need to keep any further copy of this key outside the system, minimizing the effort placed on key management. The keys cannot be duplicated. If a new device is added (or one exchanged), all keys need to be erased and newly generated.

As stored keys in each device make up a hierarchy, we can guarantee that erasing and regenerating keys can only happen when the configurator used is logged-in to the system based on a key high enough in the hierarchy to allow erasing and re-paring.

Operating principle for random bit generation

Bit generation cycle

Solely by monitoring CAN messages, one cannot identify the device that sent any individual message, because at that level, any device can transmit any message. As an example, let us allow two devices (named initiator and responder) to transmit messages with the CAN IDs 0010h and 0011h (and data length zero) within a “bit select time window”. Each node shall then randomly choose and send one of the two messages at a random time within the time window.

At the end of the bit select time window, a trace recording will show one of the following scenarios:

1. One or two messages of CAN ID 0010h
2. One each of CAN ID 0010h and 0011h
3. One or two messages of CAN ID 0011h

Let us have a closer look at case 2 – one each. If these are transmitted randomly within the bit response time window, then an observer has no way to identify which device sent which message. However, the devices themselves know it and use this information to derive a bit from it.

Unfortunately we cannot use case 1 and 3, so if those happen, both nodes need to recognize it and re-try, using another next bit select time window.

Note 1: If one device wants to enforce a specific bit to the other, it may generate a “flip bit” message at the end of the cycle to indicate to the other device that this bit needs to be flipped.

Note 2: A variation of this scheme is to not use a random delay, but instead ensure that both devices transmit their message immediately after the trigger message. Then both messages arbitrate the bus at the same time and in a trace recording we will always see 0010h followed by 0011h.

Potential attacks: As usual, a denial-of-service kind of attack is always possible. By injecting messages an attacker can break the cycle, the devices would not be able to exchange a key in the first place. If an attacker has full physical access (oscilloscope, transceiver), he can determine which node sent which message. However, there is still some effort required to recognize which bits were actually generated (as participating devices can change interpretation). Last but not least anything “random” is always an attack vector. The participating devices need a reasonably good random number generator.

Nuremberg, 22nd of February 2016: Embedded Systems Academy announces their new book “Implementing Scalable CAN Security with CANcrypt”. You can meet the authors at the Embedded World 2016 from February 23rd to 25th in hall 1, booth 620 – the booth of our partner PEAK-System.

The book covers authentication and encryption for CANopen and other Controller Area Network protocols and will be published in Q2/2016. The introduced CANcrypt system by ESAcademy adds multiple levels of security to CAN. CANcrypt supports the grouping of multiple devices and the encrypted and authenticated communication between them. The CANcrypt security layer sits between CAN driver and higher layers and is therefore independent of higher-layer protocols or applications used.

The required system resources are minimal compared to traditional cryptography methods and can be scaled to the application’s security requirements. A key hierarchy enables implementing of smart, simplified key management that supports manufacturers, system builders/integrators and owners.

Demo and example code will be published using the BSD license.
For more information see www.cancrypt.net

It is a busy start into 2016 with several new products and the Embedded World 2016 coming up next week.

New product – CANopen Logxaminer
Last year, we spent a lot of time helping clients to evaluate long CAN trace recordings and searching for misbehaviour of CANopen devices as well as manually generating statistics about such behaviour. In order to simplify such trace evaluations we wrote a dedicated utility that evaluates CANopen trace recordings. It supports common file formats used by recording tools from PEAK, Vector and ESAcademy.

For more information about the CANopen Logxaminer, follow the link.

New book about CAN security
Within Q2/2016 we will publish a new book, this time about CAN security. Recent publicized hacks show that CAN/CANopen are quite vulnerable, once an intruder/attacker has access to the network. Our new book introduces a scalable method that addresses both authentication and encryption, is independent of the protocol used and free sample code will be provided. A more detailed announcement will be published in our blog at www.esacademy.com/blog next week.

New 2016 price list
Our new 2016 price list is now valid, for current prices visit our CANopen online stores in Europe or USA. Prices have been lowered for the low-level entry version of our CANopen Magic tool as well as for the CANopen Magic high-end version including DLL access for custom test tool developments.

Next week’s Embedded World 2016
This years show in Nuremberg from February 23rd to 25th has almost 1000 exhibitors. For a complete list see
www.embedded-world.de/en/ausstellerprodukte/exhibitorlist

You can meet Chris or me (Olaf) from ESAcademy at the PEAK system booth. Hall 1, booth 620.

If you can not make it to the show and are still interested in selected news and updates, follow Olaf at twitter.com/ESA_Olaf or re-visit our blog after the show for a summary of impressions.

Looking forward to seeing some of you in Nuremberg

Olaf Pfeiffer

The 15th international CAN Conference took place in Vienna on October 27th and 28th 2015. On two days, a total of 23 papers were presented. Topics included current application examples, security and IoT (Internet of Things)  issues and “everything” CAN FD (Flexible Data Rate) related. CAN FD with its increased data rate was the major topic of this conference, many papers were directly related to it.

As CAN FD is not backward compatible to CAN, one of the session topics was migration from CAN to CAN FD. Mixing CAN and CAN FD controllers is only possible if the CAN FD messages are hidden from the CAN controllers as they would generate error frames upon reception. One approach is using partial networking transceivers where traditional CAN controllers are put to sleep during CAN FD communication. After seeing a specific sleep message, transceivers for partial networking can keep the connected CAN controller in sleep mode until a specific wake up message is received – no other message on the network causes a wake-up.

NXP presented a paper about their “FD Shield” transceiver. This transceiver is used to connect legacy CAN controllers to a CAN FD network. The CAN FD traffic is somewhat “shielded” from the CAN controller, only regular CAN traffic passes through but CAN FD messages are blocked as soon as they can be detected. However, there is a side effect: Each CAN FD frame on the network causes a local, not propagated receive error at the CAN controller side. As a result the CAN controller may go error passive. However, as transmits works fine, it will not go bus off and can still be used. Although not perfect, this is a quick and easy solution during a migration phase from CAN to CAN FD.

Another way to quickly connect to CAN FD networks is using Microchips external CAN FD controller using an SPI connection to the host controller. Here designers need to carefully choose the clock rate used on the serial interface side; depending on the CAN FD data rate used the SPI clock might need to be 10 or even 16Mhz. If a CAN FD data rate of 8Mbps is used, then a 10Mhz clock rate on the SPI side is sufficient to handle 100% bus load. However, the host controller of course needs to be able to handle the 10Mhz SPI traffic, too.

Other papers showed how CAN FD can be used in Linux systems, AUTOSAR and J1939, In general, the physical layout for CAN FD networks is not as flexible as it is with regular CAN. With faster bit rates ringing and reflections become more of a problem as they used to be. As usual, if an application tries to get close to the physical limits that a technology provides, more care must be taken when determining the physical layout and terminations.

With more and more CAN networks also getting some “remote access” option or even a gateway/firewall to the Internet, security of CAN networks suddenly becomes more important. In the past, CAN networks could be regarded as “closed” (inside a machinery, no remote access) so no precautions were taken in regards to security. Once a CAN network goes “online”, even if it is by the means of some firewall and even if it is only part-time, the entire security concept needs to be re-evaluated. Recent car hacks have shown that once hackers are past the firewall, they can do “anything” because there is no security layer in the CAN network.

Papers from Robert Bosch GmbH and the CiA showed some possible options to add encryption also to CAN communication, however, that directly has an impact on debugging and testing. If communication between two ECUs is secure, how do we monitor or debug it? So the debugger/tester/logger needs to part of this equation, too. It will be interesting to see where this goes, will at some point security be added to all CAN communication or will it be limit to “relevant” transmissions like commands that actually do something to the system?

Once the papers are added to the CiA’s server system, they will be available for download.

At today’s 15th international CAN conference Olaf Pfeiffer of Embedded Systems Academy presented a paper about testing of highly dynamic CANopen systems. Such systems support plug-and-play and node ID assignment by LSS (Layer Setting Services, node ID gets assigned through the network). As a result, devices may change their node ID, making tests more challenging.

One of the test utilities introduced in this paper is now available as free download from ESAcademy’s web pages. It supports the extended concise DCF (Device Configuration File) as introduced in the paper. It allows you to easily write down configuration or test sequences in a table (save as .csv) and execute them using the free CANopen File Player.

The file format, the concise Default Configuration File is part of the basic CANopen definitions and has been in use for quite some time. The extension to it is simply a definition of a set of commands introducing the option to control things like addressing specific devices (identify by CANopen Identity record 1018h) and time delays / timeouts or user interactions.

In addition, the utility can re-play previously made CAN trace recordings, supporting a wide variety of formats from Vector, PEAK and others.

For more information on the format of the extended CDCF see the manual or download the free utility.