Secure Controller Area Network Logging

Practical encryption is an important tool in improving the cybersecurity posture of vehicle data loggers and engineering tools. However, low-cost embedded systems struggle with reliably capturing and encrypting all frames on the vehicle networks. In this paper, implementations of symmetric and asymmetric algorithms were used to perform envelope encryption of session keys with symmetric encryption algorithms while logging vehicle controller area network (CAN) traffic. Maintaining determinism and minimizing latency are primary considerations when implementing cryptographic solutions in an embedded system. To satisfy the timing requirements for vehicle systems, the memory-mapped Cryptographic Acceleration Unit (mmCAU) on the NXP K66 processor enabled 6.4Mb/sec symmetric encryption rates, which enables logging of multiple channels at 100% bus load. Using AES-128 in Cipher Block Chaining (CBC) mode provides the encryption for data confidentiality. Errors and integrity checks are handled by a Cyclic Redundancy Check (CRC) checksum withing the data and digitally signed SHA256 hash values of the overall encrypted record secured the integrity of the data. A hardware security module (HSM) is utilized to store asymmetric key pairs for key management. The HSM implements Elliptic-Curve Cryptography (ECC) algorithms for key exchanges and digital signatures. Secure collection and secure data uploads to a central server are demonstrated. This work and the source code are open source with the goal of inspiring improved secure communications for vehicle networks.