CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping

TL;DR

This work addresses the lack of effective multicast source authentication in CAN, where masquerading attacks on compromised ECUs pose severe safety risks. It proposes Caiba, a novel scheme that uses an authenticator to reactively overwrite a bitwise-overlapping authentication tag, enabling instantaneous source verification without additional per-message verification delay and with minimal overhead. Caiba combines an integrity tag $t^{i}$ with a source-authenticating tag $t^{s}$ such that $t = t^{i} \oplus t^{s}$ is transmitted, while receivers verify only $t^{i}$; the authenticator supplies $t^{s}$ but cannot generate valid $t^{i}$ itself. The approach is designed to be incrementally deployable on CAN, remains compatible with legacy receivers, and demonstrates comparable reliability to standard CAN on low-rate buses, with hardware acceleration suggested for higher speeds. Overall, Caiba provides strong protection against masquerading attacks by leveraging a line-rate authenticator and a fast BP-MAC-based tag computation, enabling practical, secure multicast CAN communication in AUTOSAR SecOC-equipped networks.

Abstract

Controller Area Networks (CANs) are the backbone for reliable intra-vehicular communication. Recent cyberattacks have, however, exposed the weaknesses of CAN, which was designed without any security considerations in the 1980s. Current efforts to retrofit security via intrusion detection or message authentication codes are insufficient to fully secure CAN as they cannot adequately protect against masquerading attacks, where a compromised communication device, a so-called electronic control units, imitates another device. To remedy this situation, multicast source authentication is required to reliably identify the senders of messages. In this paper, we present CAIBA, a novel multicast source authentication scheme specifically designed for communication buses like CAN. CAIBA relies on an authenticator overwriting authentication tags on-the-fly, such that a receiver only reads a valid tag if not only the integrity of a message but also its source can be verified. To integrate CAIBA into CAN, we devise a special message authentication scheme and a reactive bit overwriting mechanism. We achieve interoperability with legacy CAN devices, while protecting receivers implementing the AUTOSAR SecOC standard against masquerading attacks without communication overhead or verification delays.

Figures (9)

• Figure 1: To transmit data, CAN uses differential encoding on two wires, CAN_H and CAN_L. We display a base format CAN frame with 8 bytes of payload as used to control hunreds of millions of cars every day. Note the gap in the payload and CRC field for increased readability.
• Figure 2: Caiba employs an integrity-protecting tag $t^{i}$ and a source-authenticating tag $t^{s}$ that are computed by the MAC function $\sigma$ using the source and group keys, $k^{\text{source}}_{j}$ and $k^{\text{group}}$, and are XORed by the sender to protect a message $m$. During transmission, the authenticator computes $t^{s}$ and overwrites the message such that only $t^{i}$ remains. The integrity-protecting tag $t^{i}$ that is read by the receivers can then be verified with a conventional group key without knowledge of the source key.
• Figure 3: A BP-MAC tag is computed by XORing a default tag $t_{\text{default}}$, a masking tag $t_{\text{mask}}$, and a bitflip $t_{\text{bitflip}}$ for each bit $b_i$ in a message that is set to 1. All of these individual tags can be computed ahead of time, only the XOR needs to be performed once the message is known.
• Figure 4: BP-MAC tags can be computed incrementally with each received bit, such that a single XOR operation suffices to compute the final tag once the final bit is read.
• Figure 5: Recording of the bus lines and transceiver's RX output during transmissions including sampling points.